Indian data protection report published to mixed reactions

29th July 2018
Indian data protection report  published to mixed reactions
Justice BN Srikrishna presents the Data Protection report to Indian IT Minister Ravishankar Prasad

Bangalore, July 29 2018: The Justice BN Srikrishna-led Committee of Experts on Data Protection  has submitted its   report to the  Indian government. The Committee’s exercise, is being called " the most comprehensive undertaking on data protection by any government agency in the country."
The committee was set up last year to “study various issues regarding data protection in India”, in the wake of the Supreme Court’s August 2017 ruling upholding the right to privacy as a fundamental right.
The 213-page report, prepared by a 10-member committee, was submitted to law and electronics minister Ravishankar Prasad on 27 July.
The report has suggested amendments to various laws including the Aadhaar Act to provide for imposition of penalties on data fiduciaries and compensations to data principals for violations of the data protection law. "Any restriction must be proportionate and narrowly tailored to the stated purpose"
However  one portion has attracted adverse reaction. Says  expert Amber Sinha in Mint: "While there can be other limited grounds for processing, the most disappointing feature of this draft bill is the carte blanche it gives to the state to process personal data without obtaining consent. Under Section 13, personal data of individuals can be processed “for the exercise of any function of the state”. This can be done without the consent of the individual as long as it is to provide a service or benefit to the individual."
Rajeev Dubey writing  in  Business Today calls the report "A patchwork of laws collated from across the world and adopted for Indian conditions, the report has lax and lenient clauses. A missed opportunity of creating a path-breaking law. India has wasted a year waiting. Time is of essence now."
"In the midst of a raging debate in India and abroad over data privacy, the most awaited and delayed report on data protection by the Srikrishna committee has delivered a whimper. For one, the  report has totally ignored the Trai recommendation that ownership of data must rest with the individual. Everybody else is a mere custodian of that data.
Links to original documents:
The full report of the Justice BN Krishna committee: A Free and fair  digital economy

The proposed bill: The Personal  Data Protection Bill 2018 ( Draft )

Indian industry and industry-association reactions:

Venkatesh Krishnamoorthy, Country Manager India, BSA, the Software Alliance:| Our member companies are at the forefront of data-driven innovation and recognize the importance of fostering trust and confidence in the online environment. We therefore support the effort to create a comprehensive legislation to protect the personal information of citizens in India. However, including data localisation requirements in such legislation is contrary to the goals of promoting a Digital India, as global data transfers are critical to cloud computing, data analytics, and other modern and emerging technologies and services that underpin global economic growth. BSA recommends that India’s Personal Data Protection Bill avoid imposing undue restrictions on the ability to securely transfer personal data outside of India.
Ramesh Mamgain, Area Vice President, India and SAARC Region, Commvault:  The committee’s recommendation for setting up a Data Protection Authority (DPA) which will be responsible for monitoring, enforcement, standard setting, awareness creation and grievance handling is a reflection of a comprehensive approach towards data management in India. With several instances of data leaks on both individual as well as organizational level that have taken place in the past had created an alarming situation across the country. With the regulation taking form, citizens of the country can now be assured of the safety of their sensitive data. Similar to EU’s GDPR, the Data Protection Law in India is a much needed regulation which will institutionalize processes for organizations across all sectors to better manage both primary and secondary
Amba Kak, Mozilla Policy Advisor in India: This bill provides a strong foundation of protection for Indians’ privacy, but it is not without loopholes - in particular, the requirement to store a copy of all personal data within India, creating broad permissions for government use of data, and the independence of the regulator’s adjudicatory authority. We welcome the Government’s commitment to a public consultation process, which we hope will rectify the cracks in this foundation
Prashant Gupta, Partner, Grant Thornton India LLP: It is a bold step taken by the Government in the area of security and privacy. The committee’s recommendations may have a significant impact on functioning of businesses and govt. bodies (for eg. Aadhar) on the processing of personal data (PII) of individuals, considering that it gives a broad coverage for both public and private entities including; cross border processing ofdata and also enforces requirement of lawful processing. As highlighted in the report, exemplary powers  for central govt.around PII of foreign nationals will also define the future business growth for different sectors in India. Based on these suggestions, it seems, a paradigm shift will happen that will bolster India in the Global economy by enforcing this law which will ensure privacy and protection of personal data.
NASSCOM: DSCI: The Personal Data Protection Bill released by the Justice Srikrishna committee has suggested a much needed framework for dataprotection and privacy in the country. The Bill builds on the Supreme Court Judgment that advocated privacy as a fundamental right for the country and creates a framework for all stakeholders to be more responsible and build trust while dealing with personal data. NASSCOM-DSCI welcome the thrust on creating an institutional structure through a Data Protection Authority in the country as well as the importance of Privacy by Design.