India has attempted to create a complex new legal framework for data protection in a much shorter period than it took Europe to craft the General Data Protection Regulation (GDPR). This implies that shortcomings are inevitable and implementation challenges are to be expected. Although, data protection bill is not a bad effort given the little time drafters had to produce it, the legislation is far from ready for enactment.
Companies processing data of Indian citizens have been left in the deep-end with the Data Protection Bill 2018 draft mandating “data localisation”, that implies keeping least one copy of all personal user data be stored in India.
“The statement by the ministry while releasing the draft bill raises doubt over Centre’s intent regarding it. Why is the government interested in the analysis of personal data of its citizens?,” asks Inderjeet Singh, CIO & CISO, Vara United, adding that another ambiguous point regarding “Right to be forgotten” as envisaged by the draft Data Protection Bill will lead to compromises with transparency, freedom of speech and freedom of press.
Singh is an experienced info systems professional with an experience of more than 27 plus years across a wide spectrum of areas spanning information security, risk management, cyber forensics, cyber warfare, expertise in SOC and CERT.
The bill has also tasked the Central Government with the responsibility of identifying categories of personal data that shall be classified as “critical personal data”. Critical personal data shall only be processed on a server or data center that is located in India. Such restrictions on cross border transfer of personal data may be difficult to enforce and at the same time increase the cost of processing for organisations.
Apparent flaws
While drafting the Data Protection Bill 2018, the committee has referred to the three key approaches to data protection that are currently adopted by other countries. The sectoral approach of the US, the omnibus regulatory approach of the EU and China’s approach of data protection for averting national security risks have been duly deliberated upon by the experts for coming up with the draft bill.
General Data Protection Regulation (GDPR) majorly focuses on the data security, data protection and also on user control of data. Whereas, the Chinese Cybersecurity Law is towards assisting its state in getting an upper hand in data processing. India’s draft Data Protection Bill 2018 Draft is more about taking the middle path, with an aim to empower both users as well as the state (giving benefit of doubt) as far as personal data protection is concerned.
Further, he highlights some of the flaws on the overall approach while drafting the bill :
• Unlike the General Data Protection Regulation (GDPR), Data Protection Bill treats data as a ‘matter of trust’ not as ‘property’
• Similar to the Chinese Cybersecurity Law, data fiduciaries processing Indians’ data will have to store “at least one serving copy” of personal data on a server or data center located in India. Thus, data localisation is a major point of contention amongst all the foreign players. In other words, foreign internet intermediaries and services, such as Facebook, Uber, Google, Twitter, AirBnB, Telegram, WhatsApp, and Signal may all be required to physically host user data in India.
• Data Protection Bill draft allows processing of personal data in the interests of the security of the state, if authorised and according to procedure established by law. Which permits the processing of personal data for prevention, detection, investigation and prosecution of any offence or any other contravention of law. This access to all personal data by the state poses an enormous threat to the right to privacy, given the weak safeguards that exist in India against state surveillance.
• When it comes to notifications of data breaches, the bill again leaves the scope for ambiguity by saying that the data breach notifications are to be made by the data fiduciary to the Data Protection Authority For India(DPAI) “as soon as possible”, in case they pose potential “harm” to data principals, without saying how soon.
• Organisations would be granted a transition period of 12 months post the enactment of the bill for ensuring compliance. This period seemingly is too less based on the lessons learnt from the implementation of the GDPR, which placed similar obligations upon organisations.
• Data ownership has been one of the important concerns that have been completely ignored.
Need for amendments in the current bill
The proposed bill represents significant progress towards a comprehensive data privacy regime, one that is lacking and increasingly urgent in India. Despite some deficiencies, it introduces a series of obligations modeled on the GDPR that go a long way in holding corporate and state power accountable for their use of personal data.
Singh also suggests the Srikrishna Committee and the Government of India need to address the shortcomings and failures in following areas of global data protection standards, which include:
• Establish independent authority and robust mechanisms for Personal Data Protection Bill 2018 enforcement.
• Do not ask for broad data protection and privacy limitations for national security.
• Bill should not authorise personal data processing based on the legitimate interest of companies without strict limitations.
• The “right to be forgotten” should not be added to the bill and companies should not be given the authority to gather sensitive data without consent.
• Create binding and transparent mechanisms for securing data transfer to third countries.