“Srikrishna committee” was mandated to draft a law for “privacy protection” after widespread study and consultations.
The committee has now released its report and the draft law, but it has opened to mixed reviews and several loopholes have been pointed out.
What are the positives of the draft bill?
“Draft Personal Data Protection Bill 2018” displays the principles to be followed in protecting an individual's fundamental right of privacy.
What - The bill is progressive as it seeks to clearly recognize the importance of privacy and defines personal data broadly (beyond the current metrics).
Personal data now includes - passwords, financial data, health data, official identifier, sex life, sexual orientation, biometric data, genetic data, transgender status, intersex status, caste or tribe, and religious or political affiliation.
Importantly, “location” is one critical indicator that hasn’t been considered sensitive by the draft bill.
Consent - The bill seeks to make data processing “fair and reasonable” by permitting for only limited personal data to be collected.
It mandates that data aggregation needs to be done only for a clearly specified lawful purpose, with the explicit consent of the concerned person.
Nonetheless, broad exemptions granted within the bill are a serious setback to this provision and the envisioned overall privacy structure.
What are the major concerns with the bill?
Deletion - The rights of correction, updating, and data portability are included in the draft, but the “right to be forgotten” is only vaguely articulated.
Further, there is no apparent “right of deletion or right to object processing”.
Transparency - The envisioned “Data Protection Authority” would have the powers to decide if data breaches are to be disclosed at all to affected users.
This is in contrast to the expectations that hoped that the law would mandate the disclosure of all data base breaches to the concerned public.
State Snooping - No attempt has been made to curb government surveillance and the push for “data localisation” might actually aggravate this.
Notably, the government has been empowered to classify any information as "critical personal data" and mandate its storage and processing within India.
Significantly, the controversial case of “Aadhar” hasn’t been discussed in the bill as the matter is under the judicial scanner.
Broad Exemptions - Data may be collected without consent for compliance with legal orders, for employment related aspects, and for emergencies.
Further, it has been stated that data might also be collected for ‘functions of the state’, which is a broad and discretionary a category.
How does the draft fare overall?
It is a pity that the consultative process was opaque, with submissions to the committee kept confidential.
Further, unlike with most draft bills, there is no apparent provision for feedback from stakeholders after the release of the draft.
Therefore, areas of serious concern may not be addressed before the bill is signed into law, thereby making the bill non-inclusive.
The draft makes a beginning in terms of affording data protection to citizens but it falls short of the envisioned goal by a huge margin.
