Takshashila Policy Advisory - Comments to the Draft Personal Data Protection Bill

High Tech Geopolitics
Written By

Executive Summary

This document contains recommendations and comments in response to the draft Personal Data Protection Bill, 2018 (Bill) released by the Committee of Experts under the Chairmanship of Justice B. N. Srikrishna (Justice Srikrishna Committee) in July 2018.At the outset, we welcome the release of the Bill and the call for comments, however, we note that some aspects of the draft legislation demand further scrutiny. Our comments to the Bill focus on four distinct areas of the proposed legislation: (i) the exemptions granted to the State; (ii) restrictions on cross-border flows of personal data; (iii) the capacity of the proposed Data Protection Authority (DPA); and (iv) the excessive discretion allowed to the Union government and the DPA in certain circumstances.After examining the Bill’s positions on these four aspects, we make the following recommendations:

  • Exemptions – The continued applicability of the fair and reasonable processing standard to the exempted scenarios under the proposed law is a step in the right direction. While it would have been prudent to extend additional safeguards of purpose limitation, collection limitation, and storage limitation to the exempted scenarios, the presence of S. 4 in the Bill should act as a safety blanket against unfair and unreasonable intrusions into the privacy of individuals. It is recommended, however, that the Bill expressly mention the need for appropriate judicial oversight as a necessary precondition for availing the exemptions by the State.

  • Restrictions on Cross-Border Flows of Data – We recommend that personal data and sensitive personal data be capable of easy transfer across Indian boundaries. In order to curtail the risk of this law being a deterrent for data fiduciaries servicing Indian customers, we recommend that “critical personal data” be defined narrowly and exhaustively in the law. We also recommend that localisation be mandated only for such data.

  • The capacity of the DPA - The DPA performs both monitoring as well as adjudication function under the Bill and we anticipate that it is likely to soon be overburdened. We recommend that the DPA establish regional offices to function more efficiently. Data auditors should also be independent and professional bodies.

Discretion to the Union Government and the DPA in Certain Scenarios – We recommend that the discretionary powers extended to the State be narrow. Owing to the unique position and responsibilities of the State as a data fiduciary, specific provisions must be made in the Bill with respect to penalties, qualifying as a significant fiduciary, as well as limitations on the State’s power to circumvent consent for the collection of personal data in some circumstances.

Authors

Featured
Ajay Patri
Ajay Patri

Ajay Patri is a lawyer from NLSIU who previously worked at Trilegal as part of their specialised Labour and Employment team, dedicated to assisting clients on a range of employment issues. He worked as an Associate Fellow with Takshashila from 2017 to 2019 working at the intersection of technology law and policy.

Manasa Venkataraman
Manasa Venkataraman

Manasa Venkataraman is a lawyer by education and a tech policy professional. She currently works in the Public Policy team at Meta. Her work focuses on data privacy, digital governance from a public policy lens and the role that regulation plays in encouraging innovation and digital access. She worked as a researcher at Takshashila from 2016 to 2019 in the Technology and Policy vertical.

Previous

Takshashila Discussion Document - A Framework to Counter Mobilised Violence
Next

Takshashila Working Paper - China's Quest For AI Leadership: Prospects and Challenges