The draft Bill suggests steps to safeguard personal information.
Cyber experts and law-makers have pointed out anomalies and contradictions in the Personal Data Protection Bill, 2018, and called for more detailed discussion with stakeholders before bringing it up in the upcoming winter session of Parliament.
The government is hopeful of introducing the Bill in the winter session. The Bill was drafted by a high-level committee headed by Justice B.N. Srikrishna. Following the submission of the draft Bill and data protection report in July, the IT Ministry sought public feedback by 30 September.
The draft Bill suggests steps for safeguarding personal information, defining obligations of data processors as also rights of individuals and proposed penalties for violations. It also seeks “explicit consent” for processing sensitive personal information like religious or political beliefs, sexual orientation and biometric details. However, experts and law-makers feel there are several loopholes in the Bill which need to be addressed before it is tabled in Parliament.
For example, there are restrictions on cross-border data transfers, which may have far-reaching implications on India as an internet market. As per the draft Bill, certain categories of data will be stored in data centres located within India. These categories will be notified by the Data Protection Authority at a later stage. This may create a barrier to market entry.
Moreover, the Bill requires contractual and inter-group cross-border transfer arrangements to be approved by the Authority, which may harm the ease of doing business. According to Rajya Sabha MP Rajeev Chandrasekhar, these restrictions appear to be motivated only to facilitate law enforcement and security agencies access data and do not lead to any meaningful bolstering of privacy rights while it can be argued that the impact of such restrictions is also far-reaching and disproportionate to the benefits.
“The restrictions on cross-border data transfers have the potential to create a case for isolating the Indian market. It is highly likely that countries such as the United States, under the Trump administration, will respond kindly, in line with its terse stance on free trade. The great dividends of efficiency created by the internet will be lost to these measures that fragment it,” he said.
In his letter to IT Minister Ravi Shankar Prasad, Chandrasekhar said that rushing it to the upcoming winter session of Parliament will be counter-productive as it is ill-planned and has wide-reaching implications.
Cyber expert Anupam Saraf said the Srikrishna Committee draft Bill on data protection is flawed to enable a data protection regime. “Data protection is about ensuring the fidelity of the data available to transacting parties and the regulator of transactions. It is about protecting transacting parties from third parties who have nothing to do with the transactions from gaining access, control or rights to the data. It is incorrect to treat transacting parties as ‘data subjects’ whose data can be exploited by third parties, or data fiduciaries. The approach of creating data fiduciaries will not only damage commerce and the economy, it will erode trust as it will be impossible to distinguish genuine data from fraudulently generated data,” he said.
Saraf said commerce grows when the data is protected from being fraudulently generated, when genuine versions can be distinguished from fake versions by certification by the transacting parties and when a regulator can audit the generation, certification and restriction of the data beyond the transacting parties.
“The mess caused by Aadhaar is an example of data generated by third parties who are not part of transactions that require the data and such data is indistinguishable from genuine data as it is not generated or certified by transacting parties,” he said.