In the lead-up to the release of the BN Srikrishna-led Committee’s Personal Data Protection Bill, 2018, there were two civil society attempts to create a bill on their own. Dvara Research, formerly the IFMR Finance Foundation, created what it called a “skeletal legislative document” that was essentially a bill of its own. The other attempt was by, who created an “Indian Privacy Code, 2018“. Below is a tabular comparison of these two attempts with the bill eventually submitted by the Srikrishna Committee.

Ownership, consent, portability and localisation

Localisation is probably the most glaring departure from both businesses’ and civil society’s expectations. The committee’s bill requires all entities to store a copy of an individual’s personal data in India, which will have huge associated costs. Data ownership is not asserted as the sole domain of the data subject, which weakens somewhat the foundations of a data protection bill. Consent requirements are still stringent, though, with multiple requirements needed to be satisfied for the consent to be regarded as explicit. Portability is required as it is in the privacy code.

Right to be forgotten, transparency, and surveillance

The Srikrishna Committee’s bill includes a right to be forgotten. The Adjudicating Officer, who is appointed under the data protection authority of India, will process applications based on sensitivity and necessity, among other factors. Anonymised data is not regulated by the bill, provided that the anonymisation is irreversible (the word anonymisation is itself defined as irreversible in all the bills). While the civil society bills allow users to access a copy of their information, the Srikrishna Bill only allows for a summary of that information to be accessed. On surveillance, the bill partially prohibits use of personal data for “security of the State” but doesn’t go as far as SaveOurPrivacy hoped it would in mandating oversight.

Penalties, data protection authority, and breaches

The bill goes farther than civil society expectations here by not only having stiff civil penalties, but also criminal penalties that could involve jail time. The bill sets up a data protection authority, but only one — individual states don’t get an authority of their own as the SaveOurPrivacy code hoped. Processing requirements are consistent with civil society attempts, but there exist carve-outs with fewer consent standards in the committee’s bill. Importantly, breaches don’t have to be disclosed to the public — only to the data protection authority.