Mentor’s Comment:

The bill is submitted by the Justice B N Srikrishna headed panel which has suggested measures to be taken in order to protect personal information of Indian citizens. The introduction should explain such things in short by mentioning about roles, duties of data processors and the rights of individuals and also about the penalties.

Further, mention about the need of data protection law. There is no separate law till now, required for the efficient management of data, information privacy requires data protection, right to privacy no a FR, protection from unauthorised leaks, hacking, cyber crimes and frauds etc. because economic cost of data leak/lost is high. Etc.

Next, mention about the key provisions of the bill. Takes into account three aspects of data protection: the citizens, the state and the industry.

Next, mention what are the positive benefits of the bill.

Next, talk about issues related to the draft bill and its provisions and suggest how it can be improved and conclude.

Model Answer:

The draft personal data protection Bill 2018 was submitted by the Justice B.N. Srikrishna-headed expert panel. The committee has suggested measures to be taken when it comes to protecting personal information of Indian citizens, the role and duties of data processors, and the rights of individuals. The report also talks about the penalties that should be imposed for violation of these data protection measures.

Need data protection law:

• India does not have a separate law for data protection.
• Efficient management of data in the age of Big Data
• One of the major challenges to big data is information privacy which necessitates a robust data protection.
• Right to privacy is now a fundamental right.
• The right to privacy encompasses the right to have data protected.
• Unauthorized leaks, hacking, cyber-crimes, and frauds.
• Economic cost of data loss/theft is high
• Improve business process, and secure digital payments
• Restrict use of data by data colonizing companies such as Facebook, Whatsapp.

Key Provisions of the Bill:

• The draft takes into account three aspects in terms of data – the citizens, the state and the industry.
• Critical personal data of Indian citizens should be processed in centres located within the country. Central government will notify categories of personal data that will be considered as critical.
• Other personal data may be transferred outside the territory of India with some conditions. However, at least one copy of the data will need to be stored in India.
• For data processors not present in India, the Act will apply to those carrying on business in India.
• It may also include other activities such as profiling which could cause privacy harms to data principals in India.
• The draft also provides for penalties and compensation for violations of the data protection law. The penalty would be Rs.15 crore or 4% of the total worldwide turnover of any data collection/processing entity, for violating provisions.
• Processing of sensitive personal data should be on the basis of “explicit consent” of the data owner. The consent should be given before the commencement of the processing.
• The law will not have retrospective application.
• Right to be forgotten.
• Setting up a Data Protection Authority to prevent misuse of personal information.
• The draft Bill also provides for setting up an Appellate Tribunal.

Positives of the bill:

• The draft legislation puts the onus on the “data fiduciary” to seek clear, informed, specific and free consent, with the possibility of withdrawal of data of the “principal” to allow for the use and processing of sensitive personal data.
• It provides for or “data principals” the rights to confirmation, correction of data, portability and “to be forgotten”, subject to procedure.
• The bill is quite strict on how companies and government will be treated if they are found to have committed offences under the Act.
• The draft bill is strict on government departments and state governments if leakage happens in personal data through them.
• It notes that if any offence is committed by a department of the central or a state government, the “head of the department or authority shall be deemed to be guilty of the offence and shall be liable to be proceeded against and punished accordingly”.
• This ensures that the blame isn’t passed off onto a lower-level government officer.
• The expanded definition of sensitive personal data to include health, financial and sex-related information is important and is a welcome step.
• The draft has made specific mention of the need for separate and more stringent norms for protecting the data of children, in their best interest.

Issues with the draft bill:

• The rights of correction, updating, and data portability are included in the draft, but the “right to be forgotten” is only vaguely articulated.
• Further, there is no apparent “right of deletion or right to object processing”.
• The envisioned “Data Protection Authority” would have the powers to decide if data breaches are to be disclosed at all to affected users.
• This is in contrast to the expectations that hoped that the law would mandate the disclosure of all database breaches to the concerned public.
• No attempt has been made to curb government surveillance and the push for “data localisation” might actually aggravate this.
• Notably, the government has been empowered to classify any information as “critical personal data” and mandate its storage and processing within India.
• Significantly, the controversial case of “Aadhar” hasn’t been discussed in the bill as the matter is under the judicial scanner.
• Amendment in RTI and Aadhar act may dilute the existing laws
• The storage of one copy of personal data in India will impose additional cost to companies
• Restriction on cross border flow of data may prove detrimental in era of digital global economy

How to Improve It:

• It is important to strike a right balance between digital economy and privacy protection
• Government must incorporate suggestions from various stakeholder over the draft bill before finalizing the bill.
• Privacy should not be used to undermine government transparency. Data protection law should be framed such that it does not make government opaque and unaccountable
• Any comprehensive privacy law has to include surveillance reform, dealing separately with State and private actors.