India's Data Protection Bill (2018) With Comparison to EU GDPR
By Gurmeet Singh Jaggi
The much awaited draft Personal Data Protection Bill 2018 by the Justice Srikrishna Committee is out and could address some of the burning issues surrounding the privacy of personal data in India if implemented.
Privacy laws in India offer little protection from the misuse of one’s personal information so far. Currently, the transfer of personal data is governed by the SPD Rules (Sensitive Personal Data and Information), 2011 which has become increasingly inadequate.
In essence, the proposed Data Protection Bill 2018 makes the sharing of data central to individual consent. The report notes that a fundamental right is the right to privacy. Your personal data cannot be shared or processed unless one have given his/ her explicit consent. This also means, of course, that it is your responsibility to make an informed choice.
Next, the draft bill also states that any person who processes one’s personal data must do so fairly and reasonably. In other words, your data should only be processed for the purposes for which it was originally intended. Failure to comply with these provisions may cost companies dearly, with the bill imposing penalties of up to a maximum of 15 crore or 4% of the total amount of a company.
The jurisdiction of the Data Protection Bill under Section 2 is massive including both territorial and extra- territorial provisions along the lines of European Union - General Data Protection Regulation (EU-GDPR).
The European Union - General Data Protection Regulation (EU-GDPR), is the most important change in the data privacy regulations in 20 years.
The General Data Protection Regulation (GDPR) was approved by the European Union (EU) Parliament in April 2016. The regulation was to take effect after a two-year transition period and unlike, a Directive it does not require any enabling legislation to be passed by the Government, meaning thereby, it came into force in May 2018.
The European Union - General Data Protection Regulation (EU-GDPR), which takes effect from May 25, 2018 envisages strict rules for handling personal data of users and specifies new protocols for handling and storing private data, and sharing it with third parties.
The General Data Protection Regulation (GDPR) not only applies to organisations located within the European Union but it also applies to organisations outside of the European Union if they offer goods or services to, or monitor the behaviour of, European Union (EU) data subjects.
It applies to all companies processing and holding the personal data of data subjects residing in the European Union (EU), regardless of the company’s location.
India is the second largest number of Internet users and we didn't have legal protection framework, which was why this was a very big deal because the Supreme Court last year in its privacy judgment emphasized the need for data protection laws for India’s economy.
Europe is a significant market for ITeS, BPO and Pharma Sectors in India. The size of the IT Industry in the top two European Union (EU) member states (Germany and France) is estimated to be around $155-200 Billion.
One’s personal data which can identify himself or herself, it should be processed, which means whether it is collected, displayed or/ and used with one’s consent under certain conditions with certain safeguards, regulated by Data Protection Authority.
As a matter of fact the Draft Bill of 2018 has certain loop holes in the Data Protection of users being Personal data, Strict Private Data and Crucial Personal Data, where the companies are using the private data of the users for expanding their business in a row until the General Data Protection Regulation (GDPR) was introduced and came into existence.
Following are some listed Loop - Holes in India’s Data Protection Bill.
Loop - Hole No. 1 No Data Ownership
One who owns the data that is held by the Private entities or the Government departments that is the question that we were hoping draft bill to answer, firmly, in the favour of users but sadly it didn’t happened.
Loop - Hole No. 2 Government Exemption
Personal data is supposed to be processed with consent. Sensitive personal data including sexual orientation, financial data etc. all of that can only be processed with explicit consent, unless you are the Government which can processed personal data without consent for FUNCTIONS OF THE STATE.
Primarily, functions of the Parliament or the State Legislature and expressly in granting/providing things like
1. Providing services
2. Providing benefits
3. Issuing of licences.
Loop - Hole No. 3 Data Localisation
The situation is been so problematic due to the below mentioned 2 grand reasons:
2. Open nature of internet where data should be allowed to flow freely with disregard to geographical borders.
Loop - Hole No. 4 Lack of Surveillance Reform
The government has the power under Section 98 of this Act to give direction to the Data Protection Authority. On the basis of security to the State while sweeping things could be anything and they can ask the Data Protection Authority to process data, give data, anything in it sought. The government uses this power when it comes to investigation of offences, prosecution of offences and prevention of offences.
Loop - Hole No. 5 No notification of Data Breach
There is a very strange position that if there is a breach of personal data the person who is processing the data Fiduciary, has to tell the Data Protection Authority but there is no objection to tell the person whose data has been stolen.
Notification for breach of any strong privacy and data protection framework but breach data notification is something that again has slipped through the crux.
Loop - Hole No. 6 Aadhaar
The draftsman said it is important to protect the Aadhaar number but in doing so it ignores the entire class of other data that makes up this Aadhaar ecosystem. It is much more important in the light of so many Aadhaar leaks and data breaches that we have been reading about to protect all the classes of data in the Aadhaar ecosystem.
These exceptions gives the Government more power over Aadhaar data.
Loop - Hole No. 7 Amendment in the RTI Act
The Committee wanted to amend the RTI Act on the basis that we have very strict test on the basis of which personal information can be revealed even under the RTI Act, even if it is a public figure like the Hon’ble Prime Minister.
Why there are so many Loop - Holes?
We all must not be surprised that why the Data Protection Bill has so many loop - holes, to understand this, we must take it into the consideration that how the drafting committee has itself functioned. It has three main reasons:
1. Lack of Civil Society Participation.
2. Weak public consideration.
3. Lack of transparency.