Privacy International’s Comments on the India Personal Data Protection Bill, 2018
Privacy International welcomes the effort by the Government of India to reaffirm its commitment to upholding and respecting the right to privacy, and for noting the need to regulate the processing of personal data as essential for the protection of privacy through the adoption of a data protection law.
The urgent need for this legislation has been validated in the Supreme Court decision regarding the Aadhaar Act, which stipulates the need for a robust data protection regime.
However, the proposed Bill has a number of significant shortcomings. We recommend that to effectively protect privacy and to meet international standards in protecting personal data, full consideration should be given to the areas of concern and improvements outlined below under each Part of the Bill.
Our feedback is outlined in detail in a briefing for the Committee of Experts constituted by the Ministry of Electronics and Information Technology (MeitY), Government of India. The amendments focus on the following issues:
1. Over-reliance on consent and reasonable purposes
Core grounds for processing included within the Bill are consent and so called ‘reasonable purposes’. As explained in more detail in our brief, both these grounds raise concerns and are open to abuse in their current form.
2. Individual rights
Rights for individuals relating to their data are a vital part of a meaningful data protection framework. The rights that are included within the Bill need to be strengthened, including through limiting the time and cost of exercising them. The Bill also falls short by failing to include important rights, including the right to object, and rights in relation to profiling and automated decision-making.
3. Data localisation
The Bill includes mandatory data localisation requirements. However, it is unclear what the justification is for making data storage in India mandatory. The justifications for this provision noted in the report of the Committee of Experts under the Chairmanship of Justice B.N. Srikrishna do not relate to the objective of the law which is to protect personal data. Firstly, mandatory data localisation will not provide adequate protection for people’s data, i.e. storing the data in India will not necessarily make the data more secure. Secondly, such a requirement may have negative implications for people’s rights and the security of their data with the risk that this provision is being used to access personal data for other purposes such as surveillance.
4. Wide exemptions
The exemptions to the Bill in Chapter IX are all overly wide and must be narrowed. In particular, the exemption for state security are broad and undefined and thus open to abuse. All of the agencies mandated with protecting the security of the state and with law enforcement powers must comply with India’s human rights obligations. Any interference with human rights must meet the requirements of being in accordance with the law, necessary and proportionate for the pursuant of a legitimate aim – this includes in relation to the right to privacy and thus data protection.
5. Role of the data protection authority
An independent and effective data protection authority to oversee implementation and enforcement is essential in ensuring that the law and the protections it provides translate into practice. Further clarity is required on the operation of the authority, including a timescale for its establishment.
6. Delegated powers
The legislation has too many delegated powers, which remove the requirement for effective parliamentary scrutiny. These should be limited and the provisions added to the Bill.
7. Harmonisation and application to Aadhaar
The absence of a comprehensive data protection framework in India to date means that it is essential to review and harmonise existing law and practice with the new data protection law. This is not explicitly included within the Bill. Further commitment must be made to ensure that high data protection standards are met across the board, particularly in relation to Aadhaar, which has far reaching implications for the privacy and security of people in India.