Takshashila Policy Advisory - Comments to the Draft Personal Data Protection Bill
Executive Summary
This document contains recommendations and comments in response to the draft Personal Data Protection Bill, 2018 (Bill) released by the Committee of Experts under the Chairmanship of Justice B. N. Srikrishna (Justice Srikrishna Committee) in July 2018.At the outset, we welcome the release of the Bill and the call for comments, however, we note that some aspects of the draft legislation demand further scrutiny. Our comments to the Bill focus on four distinct areas of the proposed legislation: (i) the exemptions granted to the State; (ii) restrictions on cross-border flows of personal data; (iii) the capacity of the proposed Data Protection Authority (DPA); and (iv) the excessive discretion allowed to the Union government and the DPA in certain circumstances.After examining the Bill’s positions on these four aspects, we make the following recommendations:
Exemptions – The continued applicability of the fair and reasonable processing standard to the exempted scenarios under the proposed law is a step in the right direction. While it would have been prudent to extend additional safeguards of purpose limitation, collection limitation, and storage limitation to the exempted scenarios, the presence of S. 4 in the Bill should act as a safety blanket against unfair and unreasonable intrusions into the privacy of individuals. It is recommended, however, that the Bill expressly mention the need for appropriate judicial oversight as a necessary precondition for availing the exemptions by the State.
Restrictions on Cross-Border Flows of Data – We recommend that personal data and sensitive personal data be capable of easy transfer across Indian boundaries. In order to curtail the risk of this law being a deterrent for data fiduciaries servicing Indian customers, we recommend that “critical personal data” be defined narrowly and exhaustively in the law. We also recommend that localisation be mandated only for such data.
The capacity of the DPA - The DPA performs both monitoring as well as adjudication function under the Bill and we anticipate that it is likely to soon be overburdened. We recommend that the DPA establish regional offices to function more efficiently. Data auditors should also be independent and professional bodies.
Discretion to the Union Government and the DPA in Certain Scenarios – We recommend that the discretionary powers extended to the State be narrow. Owing to the unique position and responsibilities of the State as a data fiduciary, specific provisions must be made in the Bill with respect to penalties, qualifying as a significant fiduciary, as well as limitations on the State’s power to circumvent consent for the collection of personal data in some circumstances.