The IT Ministry has extended its public comment deadline for the Srikrishna committee’s Personal Data Protection Bill to September 30. This gives companies and other stakeholders two extra weeks to respond to the final bill in detail, something that they had brought up multiple times in discussions on the draft.
This further consultation — which was announced on August 14 — takes special significance due to the contentious nature of the draft bill — there were voices of dissent from within the committee that found place on its official report. The data protection bill’s provisions on maintaining a copy of personal data in India and its stiff criminal penalties for breaches have also drawn criticism.
It’s unclear if the comments to the draft bill collected by MeitY will be made public. Public comments solicited by the Srikrishna Committee prior to the bill’s drafting stage were not made public. In fact, MeitY declined multiple RTI requests to publish stakeholder comments. It’s also unclear if MeitY will hold a counter-comment stage of consultation, where stakeholders will be able to comment on each other’s responses. This two-stage process is typical of TRAI consultations, where comments are made public and commented on in a counter-comment stage as a matter of process.
How the bill measures up
While comments to the Srikrishna Committee were not published, some organisations made their filings public voluntarily. Here’s a comparison of the Srikrishna Committee’s bill with the expectations of i) Dvara Research, which prepared a skeletal draft bill of its own, and ii) SaveOurPrivacy.in, a volunteers’ collective spearheaded by the Internet Freedom Foundation (Note: MediaNama editor and publisher Nikhil Pahwa is IFF co-founder).
Ownership, consent, portability and localisation
Localisation is probably the most glaring departure from both business’ and civil society’s expectations. The committee’s bill requires all entities to store a copy of an individual’s personal data in India, which will have huge associated costs. Data ownership is not asserted as the sole domain of the data subject, which somewhat weakens the foundations of a data protection bill. Consent requirements are still stringent, though, with multiple requirements needed to be satisfied for the consent to be regarded as explicit. Portability is required as it is in the SaveOurPrivacy.in privacy code.
Right to be forgotten, transparency, and surveillance
The Srikrishna Committee’s bill includes a right to be forgotten. The Adjudicating Officer, who is appointed under the data protection authority of India, will process applications based on sensitivity and necessity, among other factors. Anonymised data is not regulated by the bill, provided that the anonymisation is irreversible (the word anonymisation is itself defined as irreversible in all the bills). While the civil society bills allow users to access a copy of their information, the Srikrishna Bill only allows for a summary of that information to be accessed. On surveillance, the bill partially prohibits use of personal data for “security of the State” but doesn’t go as far as SaveOurPrivacy hoped it would in mandating oversight.
Penalties, data protection authority, and breaches
The bill goes farther than civil society expectations here by not only having stiff civil penalties, but also criminal penalties that could involve jail time. The bill sets up a data protection authority, but only one — individual states don’t get an authority of their own as the SaveOurPrivacy code hoped. Processing requirements are consistent with civil society attempts, but there exist carve-outs with fewer consent standards in the committee’s bill. Importantly, breaches don’t have to be disclosed to the public — only to the data protection authority.