Ownership, consent, portability and localisation

Localisation is probably the most glaring departure from both business’ and civil society’s expectations. The committee’s bill requires all entities to store a copy of an individual’s personal data in India, which will have huge associated costs. Data ownership is not asserted as the sole domain of the data subject, which somewhat weakens the foundations of a data protection bill. Consent requirements are still stringent, though, with multiple requirements needed to be satisfied for the consent to be regarded as explicit. Portability is required as it is in the SaveOurPrivacy.in privacy code.

Advertisement. Scroll to continue reading.

Right to be forgotten, transparency, and surveillance

The Srikrishna Committee’s bill includes a right to be forgotten. The Adjudicating Officer, who is appointed under the data protection authority of India, will process applications based on sensitivity and necessity, among other factors. Anonymised data is not regulated by the bill, provided that the anonymisation is irreversible (the word anonymisation is itself defined as irreversible in all the bills). While the civil society bills allow users to access a copy of their information, the Srikrishna Bill only allows for a summary of that information to be accessed. On surveillance, the bill partially prohibits use of personal data for “security of the State” but doesn’t go as far as SaveOurPrivacy hoped it would in mandating oversight.

Penalties, data protection authority, and breaches

The bill goes farther than civil society expectations here by not only having stiff civil penalties, but also criminal penalties that could involve jail time. The bill sets up a data protection authority, but only one — individual states don’t get an authority of their own as the SaveOurPrivacy code hoped. Processing requirements are consistent with civil society attempts, but there exist carve-outs with fewer consent standards in the committee’s bill. Importantly, breaches don’t have to be disclosed to the public — only to the data protection authority.


Please note: MediaNama is also hosting discussions on the Srikrishna data protection bill in Delhi and Bangalore on August 23rd and 30th 2018 respectively. Click here to apply to attend.