‘Some of the clauses will create hurdles for businesses’

While the draft Bill for protection of personal data of Indian citizens has been welcomed as a positive start, it is not without loopholes, according to various stakeholders who have called for an in-depth consultative process before the Bill becomes a law.

An expert panel headed by Justice B.N. Srikrishna, on Friday, submitted its report on data protection as well as the draft ‘The Personal Data Protection Bill, 2018’ after a year-long consultation process.

“India’s data protection law will shape the relationship between users and the companies and government entities they entrust with their data,” said Mitchell Baker, Chairwoman of Mozilla – the company behind Firefox browsers.

“This draft bill is a strong start, but to truly protect the privacy of all Indians, we can’t afford loopholes such as the Bill’s broad exceptions for government use of data and data localisation requirements,” she added.

Mishi Choudhary, managing partner at MCA, emphasised that the Bill in its current form should not be introduced in Parliament and further consultations must take place.

Among other things, she pointed out that the recommendations make every offence cognizable and non-bailable which just creates more hurdles for businesses and individuals. “This isn’t to say there should not be harsh penalties. But what have we learnt from almost a decade with the IT Act? With little understanding of technology, sections are slapped forcing companies and executives to deal with the criminal machinery, the effectiveness of which need no mention.”

Ms Choudhary added that the Bill makes it cumbersome for even the data principals – whose data it is – to understand and exercise their rights effectively.

‘Proxy surveillance’

In a blog, Mozilla argued that data localisation is bad for business, users and security. “Notwithstanding the protections on processing in the interest of the security of the state, it’s hard to see that this provision is anything but a proxy for enabling surveillance,” it said.

The National Association of Software and Services Companies pointed out policies that govern data protection, storage and classification need to be carefully crafted given the global footprint of the IT-BPM sector. “Service providers in India process financial, healthcare and other data of citizens globally…mandating localization of all personal data…is likely to become a trade barrier in the key markets,” it said.

A member of the expert panel, Rama Vedashree, the CEO of Data Security Council of India set up by Nasscom, has termed the data localisation requirement as “not only regressive but against the fundamental tenets of our liberal economy.” Her dissent note is part of the report submitted.

Likewise, another committee member Prof. Rishikesha T. Krishnan, director, IIM, Indore, in his dissent note has said, “The requirement that every data fiduciary should store one live, serving copy of personal data in India is against the basic philosophy of the Internet and imposes additional costs on data fiduciaries without a proportional benefit in advancing the cause of data protection.”

The draft law has proposed that critical personal data of Indian citizens be processed only in data centre located within the country, personal data may be transferred outside India. However, at least one copy of the data will need to be stored in India.

“The bill exempts government agencies from seeking consent when it comes to the delivery of services and instead mandates that such data collection should be necessary. It isn’t clear why both can't apply,” Amba Kak, policy advisor for Mozilla told The Hindu.

This could be concerning because several government services exist in the same marketplace as private actors, from schools and hospitals to payment systems and transportation, she said, adding that it is not clear why the government need not obtain consent, in situations where similar private services will have to.

“When it comes to certain sensitive data, like caste, religion or political party affiliation, they must show that it is "strictly necessary". While we welcome this strong standard, there will be a need for more guidance on what these terms mean in practice,” Ms Kak said.

Talking about Aadhaar, she said, “As a significant data fiduciary under this Bill, the UIDAI would also be subject to stricter security requirements, including the necessity of independent audit. This could be one way to increase transparency in the currently opaque security practices of Aadhaar.”

The panel has recommended that the Aadhaar Act be amended “significantly” to bolster privacy protections and ensure autonomy of the UIDAI. Interestingly, the suggestions are limited to the report and are not part of the Bill.

On individual rights, while comprehensive rights of correction, updation, and data portability have been included in the draft law, rights to deletion and to object to processing, which are guaranteed by other data protection laws around the world including the EU’s GDPR, are notably missing.

Stating that the bill provides “substantive protections” from potential mass surveillance, Mozilla pointed out that for the number of intelligence and security agencies that currently operate in a legal vacuum, this bill would necessitate certain regulation.