India’s Digital Personal Data Protection Bill passed: “it’s a bad law”

Update: India moves forward on privacy and data protection for the next billion

India is home to the second-largest internet user population in the world, but still awaits a privacy and data protection law. The government of India began the process of seeking to draft and enact a privacy law nearly a decade ago, starting more actively in 2010. After involving around half a dozen ministries and numerous efforts, the Ministry of Electronics and Information Technology was last designated in 2017 with the task of developing and introducing union-level legislation on data protection and privacy.

The Committee of Experts on a Data Protection Framework for India

In August 2017, the Ministry of Electronics and Information Technology formed a 10-member committee to draft the bill on data protection and privacy. Retired Supreme Court Justice B.N. Srikrishna was appointed as chairman of the Committee of Experts on a Data Protection Framework for India.  According to the government notification, the committee was constituted to make suggestions on “principles to be considered for data protection in India and suggest a draft data protection bill.” In July last year, the Supreme Court delivered a landmark judgment interpreting the right to privacy as a fundamental right. The judgment was expected to work as the guiding principle of the experts’ committee.

On 27 November 2017, the committee released a white paper on the issue of data protection in India. In the 243-page paper, the committee observed that a data protection framework in the country should be based on the following seven principles:

(i) law should be flexible to take into account changing technologies, (ii) law must apply to both government and private sector entities, (iii) consent should be genuine, informed, and meaningful, (iv) processing of data should be minimal and only for the purpose for which it is sought, (v) entities controlling the data should be accountable for any data processing, (vi) enforcement of the data protection framework should be by a high-powered statutory authority, and (vii) penalties should be adequate to discourage any wrongful acts.

After releasing the white paper, the committee called for stakeholders to submit comments on questions it raised. The deadline for receiving comments was 31 January 2018. Subsequently, the committee also decided to hold consultations in four major cities of India — Delhi, Mumbai, Bangalore, and Hyderabad. Access Now provided written input to this consultation and took part in the open-house meetings. Given the importance and complexity of the subject, the committee was expected to hold further consultations.

Today, the B.N. Srikrishna Committee submitted its 176-page report to Ravi Shankar Prasad, India’s Union Cabinet Minister of Electronics and Information Technology. The committee also submitted a draft of the legislation on data protection titled “The Personal Data Protection Bill, 2018.” The report and draft legislation were first released to the public with today’s submission.

An initial view and understanding the way forward

The report and the bill have been submitted to the Ministry of Electronics and Information Technology. The ministry will consider the bill, perhaps make amendments, and then may choose to bring the bill to Parliament for enactment. The introduction and passage of the bill remains a matter of speculation, given the upcoming general elections likely to occur in the first half of 2019. The current government only has two sessions of Parliament left for introduction, consideration, and passage of the bill.

In parallel, #SaveOurPrivacy — an Indian advocacy movement founded in support of a model draft law called the Indian Privacy Code, 2018 — is also gaining steam in India. The model law — drafted by a committee of volunteer lawyers from the digital rights community in India — covers the specific and nuanced issues of privacy, data protection, interception, and surveillance, and builds on seven privacy principles the drafting committee identified as the pillars of the legislative effort. This movement aims to push the government in India to finally do something, to make sure that the outcome is one which protects the large base of users in India, and to institute proper mechanisms to protect the fundamental right to privacy in India.

At Access Now, we lauded this effort to bring about a user-centric privacy regulation in India. The Srikrishna Committee report and its attached draft bill — which has to be acted on by the government of India and finally considered in Parliament — requires further study as to whether it truly protects the rights of users. The #SaveOurPrivacy movement has provided their initial statement on the bill here, welcoming the advancement of the process but raising concerns regarding the approach proposed by the Srikrishna Committee and many gaps in provisions necessary to effectively protect users’ fundamental right to privacy.

We will soon be providing a detailed take on the Justice Srikrishna Committee bill submitted to the Ministry of Electronics and Information Technology, measuring the effectiveness of the bill and building on our list of dos and don’ts from our lawmakers’ guide to approaching data protection.