The data protection bill released by the Justice BN Srikrishna panel on 27 July has clearly divided the opinions of many. Digital rights activists are not too happy with certain provisions, some are predicting changes in future business growth, others are not too happy with the way some of the provisions have been misrepresented on social media.
Most of the people tech2 spoke to agreed that the bill is a step in the right direction as we move towards drafting a strong data protection law. Despite being a country with the second highest number of internet users in the world, India does not have a dedicated data protection law. The 10-member panel which was tasked with drafting the data protection bill in August 2017 has released a detailed report which involves 112 sections.
Data localisation is a problem area
“A few things that stand out are the provisions on Data Localisation, criminal liabilities making all offences cognisable and non-bailable, burdensome processes for us who are called Data Principals and extensive powers to the States. Withdrawal of consent by Data Principals is not simple and makes us responsible for all the legal consequences that follow. It’s a tricky task to balance in any case,” said Mishi Chaudhary, co-founder of SFLC.in.
Elaborating on the issues pertaining to Data Localisation, Chaudhary feels that the requirement for every data fiduciary to store a live, serving copy of personal data within India may not be much of an issue for larger players such as Google, Amazon, Facebook and Apple, but will put immense burden in terms of costs on smaller businesses.
“Such Localisation requirements radically distort that market, a form of protectionism that will raise prices and reduce productivity throughout our economy,” feels Chaudhary.
Mozilla Chairwoman, Mitchell Baker also observed the issues with data localisation requirements in the bill, “This draft bill is a strong start, but to truly protect the privacy of all Indians, we can’t afford loopholes such as the bill’s broad exceptions for government use of data and data localisation requirements.”
Data Protection Authority gets a thumbs up, but...
Speaking on the proposed introduction of the Digital Protection Authority (DPA), EY India partner for government and public sector Vidur Gupta feels that the DPA as an independent body with wider powers will be beneficial in the enforcement of the data protection law.
“Further, the recommendation of bringing public entities under the ambit of law would not only strengthen the confidence of citizens but also define specific safety measures for their personal data while using eGovernance services,” said Gupta.
Ramesh Mamgain, head of Commvault India agrees with Gupta on the importance of having provisions for a dedicated DPA to monitor, enforce, set standards, create awareness and handle grievances.
“Several instances of data leaks on both individual as well as the organisational level that have taken place in the past had created an alarming situation across the country. With the regulation taking form, citizens of the country can now be assured of the safety of their sensitive data,” said Mamgain.
Mozilla spokespersons, however, feel that the DPA isn’t without its loopholes. It feels that the independence of the adjudicating authorities and appellate tribunals when it comes to legal proceedings related to a data protection violation is lacking.
“The qualifications and nominations of those serving in these bodies are entirely prescribed by the government, as are the procedures of the bodies themselves. The system as it currently stands has delegated far too much authority to the Central Government,” says the Mozilla blog.
Outcomes for businesses
Prashant Gupta, a partner at Grant Thornton India LLP believes that the recommendations by the Srikrishna panel will have a significant impact on the functioning of a business. “As highlighted in the report, exemplary powers for central govt. around PII (personal information) of foreign nationals will also define the future business growth for different sectors in India. Based on these suggestions, it seems, a paradigm shift will happen that will bolster India in the global economy by enforcing this law, which will ensure privacy and protection of personal data,” said Gupta.
Nasscom, which represents the IT companies in India, is also of the opinion that the data localisation measures will most likely become a business or trade barrier in many markets. According to Nasscom, “Startups from India that are going global may not be able to leverage global cloud platforms and will face similar barriers as they expand in new markets.”
Cyberlaw expert Asheeta Regidi stated that the data protection bill in its current avatar is a double-edged sword that definitely needs more refining.
“On the one hand, it attempts to empower the citizen against private entities through a largely consent-based regime. On the other hand, it also empowers the state against the citizen through several exemptions and loopholes,” says Regidi.
According to Regidi, the bill is definitely a major step forward from Sections 43A and 72A as India’s sole data protection law, but there are several issues with it which need to be resolved, in particular in relation to the rights of the people.