“The Data Protection Authority telling the data fiduciary to notify data principals can be long enough to give time to the miscreants to use information to the detriment of the data principals,” said SFLC.in in its response to the additional comments sought by the Ministry of Electronics and Information Technology (MEITY) on the Personal Data Protection Bill, commenting on data breaches.

The ministry had privately sought responses to fresh questions on the data protection bill from select stakeholders – a development MediaNama made public last month. Commenting on the process, SFLC.in said that “a secret process with selective participants is harmful to the democratic nature of our country”. They also appealed that MEITY be “more transparent and open” with such processes in the future. Please note that SFLC.in wasn’t among the few stakeholders that the ministry sought comments from. Also, the questions asked by MEITY didn’t appear to be clarifications, and some of them covered new points of discussion not covered in the data protection bill consultation.

Here are detailed notes from SFLC.in’s responses:

‘Data Localisation might result in a net negative GDP’

Study economic and environmental impact of data localisation: It is not necessary to restrict the storage of any category of data within India. The storage of a very narrowly defined category of data such as state secrets could be restricted to India. A detailed study is required on the economic, environmental and opportunity costs associated with storing data within India before taking such a step.

Data localisation might hurt Indian businesses: Many developing nations look towards India as a role model for creating their own laws and frameworks. The perceived benefits of storing data locally, i.e. generating new jobs, may potentially be offset by an associated increase in the opportunity cost for Indian entrepreneurs that wish to expand their businesses to other countries, only to be faced with data localization costs in those countries.

Fix MLAT (mutual legal assistance treaty) process: Alternative methods to achieve lawful access to data can be developed, as the Internet connects devices across the globe, and any data stored anywhere in the world can be accessed remotely through the Internet. Our first priority should be to fix the MLAT process. This is already happening through global developments like Budapest Convention and other international efforts to standardize digital privacy and data sharing.

‘Draft PDP Bill doesn’t impose adequate obligations on the data fiduciary’

Data breach notification obligation shifts responsibility from data fiduciary: The data breach notification obligation under the draft Bill is insufficient as it shifts the responsibility for assessing the potential damage from the data fiduciary to Data Protection Authority of India (DPAI), said the organisation.

It also causes a delay in addressing data breaches: In its current state, the draft Bill does not consider the fact that many forms of harms to data principals can be mitigated if the data principals are immediately made aware of a breach.

  • “A delay will be caused by the intermediate step of first notifying DPA, and then waiting for DPA to reach that particular breach notification, followed by time required for DPAI to adjudge the significance of that breach and whether data principals deserve to know that their data has been breached,” said SFLC.in.

Right to be forgotten is insufficient: The right to be forgotten is insufficient as the draft Bill does not provide a way for data principals to request for deletion of their data. If their data is being held in trust by the data fiduciary, it is only natural for them to be able to request for their data to no longer be held in trust, SFLC.in said.

Right to be forgotten requests should be passed to other entities who hold the relevant data: If a request is made under the right to be forgotten, it should be passed on by the data fiduciary to all other entities that have been provided a copy of that data, the organisation submitted.

‘DPA should have full oversight without govt’s interference’

DPA should be allowed to operate freely: It is necessary that since the DPA is meant to have an oversight on every government and non-government entity that deals with personal data, it must be allowed to operate freely.

Draft PDP Bill diluted DPA’s role: The draft Bill has diluted the role, scope, powers and authority in favour of retaining powers in the hands of the central government. The DPA is meant to have the highest level of expertise in this matter, with oversight over all entities that deal with personal data.

Policy governing non-personal data: do we even need it?

No concept of community data arising from personal data: On one hand, the draft Bill suggests that data fiduciaries hold data in trust, i.e. they are not the owners of the data. The data still belongs to individuals. If that is the case, as it should be, then no concept of community data can arise from personal data as individuals cannot be forced to give up that which is theirs, except in the form of purely collective anonymized data from which individual entries cannot be retrieved. As long as individual entries can be retrieved, it will remain possible to re-identify that data.

E-commerce data ≠ collective anonymised data

E-commerce data is not equal to collective anonymised data: While a case can be made for free and open access to collective anonymized data for research and reporting, the same cannot be said for any form of ‘community data’ or ‘e-commerce data’. These forms of data are derived from personal data without sufficient safeguards for the protection of individuals. The government cannot legally enable private profiteering at the cost of the Right to Privacy of individuals. Any such clause will be subject to challenge before the Supreme Court of India as a violation of the Right to Privacy.