We at SFLC.in conducted a series of multi-stakeholder round table discussions on the Data Protection Bill, 2018 submitted by the Expert Committee on Data Protection headed by Justice (Retd.) B.N. Srikrishna. We organized this series of discussions in four different cities of India, namely Delhi(September 4th ,2018), Bangalore(September 25th,,2018), Mumbai (September 26th,2018) and Kochi (September 27th, 2018). Experts from the civil society, academia, independent lawyers, banks, startups, industry bodies and representatives from media, industry and tech companies participated and expressed their views on the Personal Data Protection Bill, 2018.
The round-table events featured three separate panel discussions focusing on data principal rights and data fiduciary obligations; data localization and exemptions; and administration and enforcement which were discussed in detail.
These discussions were aimed to urge leaders and key stakeholders to put forth their views on the draft Personal Data Protection Bill and to urge the Ministry of Electronics and Information Technology (MeitY) to make appropriate amendments in the Bill. MeitY invited comments on the Bill from the public by September 10, 2018, which had been extended to September 30, 2018 at the time of these discussions. The deadline has now been extended to October 10, 2018 in light of the judgment of the Supreme Court of India in the case of Justice K.S. Puttaswamy (Retd.) v. Union of India [W.P. (C) 494 of 2012] delivered on September 26, 2018, thereby allowing more time for stakeholders to submit their research and comments for the Bill. The inputs from these discussions will form a part of the recommendations that we will submit to MeitY.
Session one focused on data principal rights and data fiduciary obligations. Key takeaways from this session were:
-
There are a lot of ambiguities in this Bill. There is no clear definition of phrases such as 'fair and reasonable processing', and ‘sensitive and critical Data’, among others. Furthermore, functions of the State are widely worded, neglecting the test of necessity and proportionality.
-
The rights of Internet users have been severely limited, particularly compared to European Union’s GDPR. The participants agreed that the concept of Right to be Forgotten has been inaccurately borrowed from the GDPR and does not include right to delete/erase your personal data.
-
Concerns were raised with respect to provisions regarding the age to obtain a child’s consent. It was stated that in India, many teenage girls try to protect their data from their parents, who strictly monitor their phone usage. In that light, it would be ironical that parental consent will be needed to protect the data of children. In our country, parents do not wish their daughters to be on certain social media platforms and discourage them to engage with the opposite sex. Therefore, if such a provision is strictly implemented, it will directly impact minors.
Session two, was on topic of Data Localisation. Key takeaways from this session were:
-
Many startup founders expressed that the interest of small and medium enterprises has not been considered. They raised concerns that data localization would harm small businesses and startups with compliance burden and raised costs.
-
The Bill would heavily impact the BPO, AI and IoT industries as they thrive on huge amount of data that is generally crowd sourced. Data mirroring/localization requirements would limit the possibilities of business and research. The Bill could benefit from additional clarity with regard to the classification of data, what data must be stored within the country and what may be transferred outside as these provisions are ambiguous at best.
-
India requires significant investment in data center infrastructure, multiple Optic Fiber backbones and enhanced power generation and grid capacity before we mandate data localization/mirroring. Data storage, cloud computing and bandwidth costs in US are a fraction of the current costs in India, making it economically infeasible to mandate storage of data within India at this point in time. The increased costs would pose a tremendous deterrent to the viability, sustainability and competitiveness of startups in India. This would be detrimental for the government’s efforts to promote a startup ecosystem within the country.
Session Three covered the issues with respect to Administration and Enforcement of this Bill. Key takeaways from this session were:
-
It was pointed out that the Data Protection Authority of India (DPAI), the proposed body for enforcement and administration of the Bill is not completely independent considering the critical responsibilities bestowed upon it. Attendees were of the view that excessive governmental control exists via power to make appointments and remove members of the DPAI, power to determine salaries and allowances, and power to notify certain categories of personal data that can be processed only in India, among other provisions in the Bill.
-
The Bill provides for criminal liability in cases of breach, it was opined that if employees of the companies will be held liable on the charge of data theft done at much higher level in the company then government employees working with the state should also be held accountable. Thus, it was opined that the law should be drafted and executed without any bias.
-
The Bill provides for data mirroring and creation of data centers. All these provisions lead to nationalization of data. It provides for data that is generated in India to be stored in India in order to create jobs in India and revenue for India. But at the same time the Bill requires damages of Companies with foreign presence to be calculated on the basis of their global revenue. Some companies found it unfair to calculate damages from their global revenues.
-
The shortcomings of the Bill were highlighted in the light of privacy and Aadhaar judgments. It was opined that this Bill does not address the concerns regarding profiling and targeted advertising deployed by state and non state actors. Participants highlighted the manner in which the Bill fails to stand the test of proportionality under the nine judge bench Right to Privacy judgment.
The panels across three cities unanimously recommended that there should be adequate sensitization, training and compliance certification for the people and businesses to be able to understand the implications of this Bill. It was agreed that the Data Protection Authority of India (DPAI) has been overburdened with roles and responsibilities. Many participants expressed that the draft law is heavily tilted towards the Central Government and is not a balanced law that considers the interests of all stakeholders.