wordpress blog stats
Connect with us

Hi, what are you looking for?

How the Data Protection Bill measures up to civil society expectations

In the lead-up to the release of the BN Srikrishna-led Committee’s Personal Data Protection Bill, 2018, there were two civil society attempts to create a bill on their own. Dvara Research, formerly the IFMR Finance Foundation, created what it called a “skeletal legislative document” that was essentially a bill of its own. The other attempt was by SaveOurPrivacy.in, who created an “Indian Privacy Code, 2018“. Below is a tabular comparison of these two attempts with the bill eventually submitted by the Srikrishna Committee.

Ownership, consent, portability and localisation

Localisation is probably the most glaring departure from both businesses’ and civil society’s expectations. The committee’s bill requires all entities to store a copy of an individual’s personal data in India, which will have huge associated costs. Data ownership is not asserted as the sole domain of the data subject, which weakens somewhat the foundations of a data protection bill. Consent requirements are still stringent, though, with multiple requirements needed to be satisfied for the consent to be regarded as explicit. Portability is required as it is in the SaveOurPrivacy.in privacy code.

Right to be forgotten, transparency, and surveillance

The Srikrishna Committee’s bill includes a right to be forgotten. The Adjudicating Officer, who is appointed under the data protection authority of India, will process applications based on sensitivity and necessity, among other factors. Anonymised data is not regulated by the bill, provided that the anonymisation is irreversible (the word anonymisation is itself defined as irreversible in all the bills). While the civil society bills allow users to access a copy of their information, the Srikrishna Bill only allows for a summary of that information to be accessed. On surveillance, the bill partially prohibits use of personal data for “security of the State” but doesn’t go as far as SaveOurPrivacy hoped it would in mandating oversight.

Penalties, data protection authority, and breaches

The bill goes farther than civil society expectations here by not only having stiff civil penalties, but also criminal penalties that could involve jail time. The bill sets up a data protection authority, but only one — individual states don’t get an authority of their own as the SaveOurPrivacy code hoped. Processing requirements are consistent with civil society attempts, but there exist carve-outs with fewer consent standards in the committee’s bill. Importantly, breaches don’t have to be disclosed to the public — only to the data protection authority.


Advertisement. Scroll to continue reading.

You May Also Like


Key Takeaways Lack of clarity on originator: The rules do not clearly define who an originator is and fail to address the traceability of messages...

MediaNama is the premier source of information and analysis on Technology Policy in India. More about MediaNama, and contact information, here.

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

Subscribe to our daily newsletter
Your email address:*
Please enter all required fields Click to hide
Correct invalid entries Click to hide

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ