India Prepares Draft Bill for GDPR-Like Data Protection But With Several Loopholes

Jul. 28, 2018

India is following the footsteps of the European Union and is likely to soon have a legislation which limits the control which tech companies enjoy on the user datastored and “harvested”by them. A committee headed by Supreme Court justice BN Srikrishna haspresented a draft of the billwhich protects the privacy rights of digital users in India.

As per the213-page draft bill, the regulation will put acts like the collection and processing of large volumes of user data using new technologies under the category of “significant data fiduciary”. The companies violating this clause or misusing their monopoly on users’ data for monetary benefits willearn a fine of Rs. 15 crores (~$2.2 million) or 4 percent of the global revenue.

Which instances of data fall under the “categories of sensitive personal data which are critical to the nation” will be decided by the government after rigorous assessment in the Parliament. As a result,companies will have to undergo frequent auditsfor compliance with the regulations.

The regulation also introduces the concept of “right to be forgotten” which means thatcompanies will have to remove the data of users from their databases if the user requests so. It also mandates that any sort ofprocessing of data will have to take place on servers located in Indiaand not sent out of the country.Indian Minister for IT & Law, Ravi Shankar Prasad; Courtesy: Khabar India

However, one key area in which the draft bill defaults is that it does not give citizens absolute control over their data and will allow the government to sift through private information on the grounds of national security. Moreover, it only holds private companies accountable for loss or abuse of data and does not put any onus on thelack of security on critical databases such as that of UIDAI.

Moreover,Nikhil Pahwaof MediaNama also claims that thesepenalties are tiny compared to global standards, especially in sight of themonumental $5 billion finelevied by the EU on Google for misuse of its monopoly among Android users. The draft bill also omits throwing much light on accountability of data and one example of this is theabsence of mandatory provisions to inform users when a data breach occurs.

This draft bill which talks about the protection of private data in India lacks some critical aspects andputs the rights of the government on user data ahead of the rights of the citizensthemselves. In its present state, the law appears to be a crafty attempt at ensuring data privacy and more like an attempt to grant the government totalitarian-ish control over the citizens’ digital lives – something similar to what exists in China.

While there is no certainty, it is possible that the regulation is coherent with the government’s plans to create adigital surveillance toolaimed at slapping a feeling of patriotism. We believe that the government should spend more efforts consulting international experts to create a solid law which is democratic in all its aspects, not just its appearance.