Back in July, India inched closer to its very own data privacy law after a committee headed by former Supreme Court justice B.N. Srikrishna put forward its draft Personal Data Protection Bill.
The bill contains provisions for setting up a Data Protection Authority (DPA), which will essentially act as the privacy regulator of the country, gives rights to citizens and highlight obligations on the part of “data fiduciaries” (state, private companies etc). The draft also included a mandate to store data generated in India, within the country itself.
Given that these are completely uncharted waters for India, various stakeholders and experts are of the view that several aspects of the draft bill need a review. However, the general consensus among stakeholders seems to be that a data protection law is of utmost importance now.
Speaking at a panel discussion as part of U.S.-India Business Council’s India Ideas Summit in Mumbai on Thursday, several experts and stakeholders shared their views on the criticism and strengths of such a law.
Gopalakrishnan S., joint secretary, ministry of electronics and IT, said that a disciplining effect must be brought in so that those identified as data fiduciaries—those who determine the purpose and means of processing data—must perform their fiduciary responsibilities. “Today if someone’s privacy is violated, where do they go for redressal? The DPA will be a single regulator at the national level which will look into this,” he said, adding that in the future, regional branches of the DPA could be established.
On the issue of data privacy versus national security, the experts agreed that there is a middle path that needs to be discovered. “Privacy and national security are not binaries… We need to find a balance between the two,” said Arghya Sengupta, founder, Vidhi Centre for Legal Policy.
Michael Hayden, former director of National Security Agency, U.S., said his definition of privacy changed after the terrorist attacks of 9/11, adding that using all the powers the authorities had at their disposal to track perpetrators and prevent such incidents was “a necessary action”.
Meanwhile, Facebook—which found itself in the eye of a storm recently in light of the Cambridge Analytica data breach—maintains that organizations must have clear expectations which should be addressed by the DPA. Rob Sherman, deputy chief privacy officer at the social media giant said, “Should we compromise privacy for innovation and security? It’s almost a false choice,” adding that it needn’t be an either-or situation and we can have it all if stakeholders work together.
Another criticism of the draft law was that it followed the European Union’s General Data Protection Regulation (GDPR) too closely. Rahul Matthan, founding partner, Trilegal, was of the view that European companies and citizens were already somewhere close to the stage that GDPR brought them to; whereas for India, he called it akin to going from 0 kmph to 100 kmph in a sports car.
The localisation requirement emerged as the biggest cause of concern, with panellists pointing out that India could lose out on business and innovation from foreign start-ups due to this obligation.
Despite these criticisms, all experts agreed that such a law is the need of the hour for India in order to keep all entities collecting and processing user data in check.