India’s Digital Personal Data Protection Bill passed: “it’s a bad law”

India’s draft data protection bill needs to do more to stack up against global standards

Note: This piece was originally published in The Wire.

India is at the cusp of enacting a data protection legislation. After an eventful year following the Supreme Court’s Puttaswamy judgment interpreting right to privacy as a fundamental right and the appointment of experts’ committee on data protection in India by the Ministry of Electronics and Information Technology, enactment of data protection legislation appears to be finally nearer to its next stage.

On July 27, 2018, a ten-member committee of experts on the data protection framework in India submitted a 176-page report and a draft bill entitled The Personal Data Protection Bill, 2018 (“Draft Bill”) to the Minister of Electronics and Information Technology, Ravi Shankar Prasad. The committee was chaired by retired Indian Supreme Court Justice B.N. Srikrishna.

It is essential that the privacy and data protection framework for the next billion users of the internet is informed by global best practices, and provides a strong user rights-respecting regime. Foremost amongst these global standards and practices are those created and enforced by the EU. After many years of implementing its Data Protection Directive, the EU advanced its regulatory regime for data protection by enacted and recently officially implementing the General Data Protection Regulation (GDPR). The GDPR is a positive framework for data protection, and will help users take back the control of their personal information. The framework is inspiring a number of governments around the world to introduce data protection legislation or to upgrade existing laws. Setting aside the issue of remaining loopholes for protection, the EU’s GDPR is proving to serve as an important benchmark for data protection legislation.

The Draft Bill proposed by the Srikrishna Committee draws inspiration in many instances from the GDPR. However, whether the Draft Bill provides an adequate framework for protecting the rights of the citizens of India is a live matter of debate.

Assessing the work of the Srikrishna Committee

At the start of 2018, several of us in the Access Now public policy team produced a policy guide based on the EU GDPR experience for the lawmakers working on data protection legislation across the world. The guide, entitled, ‘Creating a Data Protection Framework: A Do’s and Don’ts Guide for Lawmakers – Lessons from the EU General Data Protection Regulation’, provides a list of key issues that lawmakers should consider and emphasise when drafting comprehensive data protection legislation.

A copy of this lawmakers’ guide was submitted to the B.N. Srikrishna Committee on data protection in India earlier this year as a response to the public consultation carried out by the committee.

Following the submission of the report and the Draft Bill by the expert committee to the government of India, we embarked on an exercise of evaluating the Draft Bill, using the principles from the lawmakers’ guide as the benchmark. We have sought to provide a clear, concise, and principles-based evaluation of the complexities within the data protection framework proposed by the Indian expert committee.

A full copy of our larger evaluation report – entitled ‘Assessing India’s proposed data protection framework: What the Srikrishna Committee recommendations could learn from the lessons of Europe’ – is now available online.

Overall, of our 15 data protection lessons we earlier identified, we found that the Srikrishna Committee output passed muster on four principles, needs improvements on eight principles and failed in three areas. Overall, the Government of India needs to address the shortcomings and failures in the output presented by the Srikrishna Committee in 11 areas of global data protection standards. This include the following areas:

  • Ensure transparent, inclusive negotiations
  • Define and include a list of binding data protection principles in the law
  • Define legal basis authorising data to be processed
  • Include a list of binding users’ rights in the law
  • Create binding and transparent mechanisms for secure data transfer to third countries
  • Develop data breach prevention and notification mechanisms
  • Establish independent authority and robust mechanisms for enforcement
  • Do not seek broad data protection and privacy limitations for national security
  • Do not authorise processing of personal data based on the legitimate interest of companies without strict limitations
  • Do not develop a “right to be forgotten”
  • Do not authorise companies to gather sensitive data without consent
Understanding the issues at play

The Draft Bill, in its current state, has many hits and misses. It is important to pay attention to the deeper details involved in many of these issues, in order to ensure that Parliament considers and passes a strong, effective privacy and data protection law aimed at protecting Indian citizens.

In our analysis, we found that the provisions of the Draft Bill defining the scope of application of the law, along with data security measures proposed for entities, seem to be strong. While multiple important rights entitled to the users have been codified under the Draft Bill, many gaps persist under the proposed regime. Rights such as the right to access and rectify data have been diluted and must be strengthened, and certain key rights such as right to object and the right to explanation are not provided under the Draft Bill. The steps taken toward data integrity and data protection impact assessment are encouraging and so are the provisions aimed at ensuring proper consent and standards thereof. However, the provisions on obtaining prior explicit consent have been diluted by the over-broad criteria of “exercise of functions of the state”.

We found the proposals for data localisation quite concerning, especially given such measures serve a surveillance and law enforcement purpose, at the cost of privacy and protecting user data. In the absence of adequate regulation of governmental access to citizen data in India, these data localisation measures may make user data in India liable to indiscriminate access by the government.

And that there is a severe need for reforming the surveillance regime in India is a fact noted by the expert committee itself in its report. However, despite this acknowledgement, neither the Draft Bill nor the report contain legislative language to reform and tighten Indian surveillance and investigatory powers. This is exacerbated by the several exemptions currently proposed by the Srikrishna Committee to be provided to government departments and other public agencies from data protection requirements in the name of “security of state” and “exercise of state functions”. This approach undermines confidence in the Indian government’s publicly stated resolve to truly protect the rights of its citizens and signal a surveillance creep in the data protection regime in India.

The Data Protection Authority, as currently outlined by the legislative text proposed by the Srikrishna Committee, would not be sufficiently independent from the executive or effective in its functioning. There are multiple concerns regarding the independence of the Authority, as well as ambiguities regarding the processes and jurisdiction of various departments within the Authority, particularly around the appointment, powers, and ways of working of the “adjudicatory officers” proposed in the Draft Bill to hear and decide claims brought by individuals regarding their data protection rights being infringed. The Draft Bill obliges the Data Protection Authority to conduct “‘mandatory” public consultation while making “codes of practices”, but multiple areas of regulation have been put outside the purview of this obligation. It is imperative that such consultations are made mandatory with respect to all regulations issued by the Authority in order to be truly user-centric, transparent and accountable.

The Draft Bill seeks to amend a few most celebrated rights of Indian democracy: the right to information. The additional language proposed by this bill to add to the existing Right to Information Act raises significant dangers – which many in the right to information and right to privacy communities have raised concerns on – especially of government departments much more actively seeking to refuse right to information requests.

Making sure we improve on the work of the Srikrishna Committee

The Srikrishna Committee report and its Draft Bill — which must be acted on by the government of India and finally considered in Parliament – requires further work to ensure that it truly protects the rights of users.

The outputs from the Srikrishna Committee ultimately represent the work of one expert committee. It is up to the Ministry of Electronics and Information Technology, and the government of India as a whole, to improve on the text provided to them and ensure that Prime Minister Narendra Modi and his Cabinet recommend a much stronger, citizen-focused bill for consideration by Parliament.

And ultimately, MPs must be allowed to perform their role and push themselves to only enact a strong privacy law for the Indian Union.