India’s Srikrishna committee, which is spearheaded by former Supreme Court Judge B.N. Srikrishna, has submitted a draft version of the Personal Data Protection Bill 2018 to the Ministry of Electronics and Information Technology.
The bill is a first attempt at codifying privacy rights for India’s 1.3 billion citizens and lends heavily from the EU’s General Data Protection Regulation, which came into force on 25th May 2018.
While the bill provides similar rights to Indian citizens as are available to EU citizens, e.g. the right to data portability, provisions on the right to erasure, colloquially referred to as “the right to be forgotten”, are more limited.
Penalties for organizations that contravene its provisions are also less rigorous than those enforced under the GDPR.
The bill proposes fines of up 2.2 million USD or 4 percent of annual turnover, whichever is higher, which contrasts with a maximum penalty of 20 million EUR or 4 percent of annual turnover, whichever is higher, for organizations found in contravention of the GDPR.
The bill also spans 112 Sections and 61 pages, while the GDPR spans 99 Articles and 173 Recitals.
Initial reactions to the bill from privacy advocates have been negative. Nikhil Pahwa, co-founder of saveourprivacy.in, a coalition of lawyers and advocates which published a draft Indian Privacy Code 2018 earlier this year, called the bill “weak”.
In full, he stated:
“This is a weak data protection bill and it should NOT be allowed to be passed in Parliament. Justice Srikrishna has disappointed”.
One of Pahwa’s primary concerns is that the bill seemingly makes users liable for withdrawing consent. Under Section 12(5) the bill states:
“Where the data principal [data subject or natural person] withdraws consent for the processing of any personal data necessary for the performance of a contract to which the data principal is a party, all legal consequences for the effects of such withdrawal shall be borne by the data principal”.
Section 3(29) also provides a working definition on “personal data” which broadly resembles that provided under the GDPR and covers personal data which makes a user directly or indirectly identifiable. Crucially, it also covers inferences about personal data.
In full, it states:
“’Personal data’ means data about or relating to a natural person who is directly or indirectly identifiable, having regard to any characteristic, trait, attribute or any other feature of the identity of such natural person, or any combination of such features, or any combination of such features with any other information”.
The bill also contains provisions on data transfers between jurisdictions. Section 40(1) declares:
“Every data fiduciary shall ensure the storage, on a server or data centre located in India, of at least one serving copy of personal data to which this Act applies”.
Facebook is the world’s largest social network (2.2 billion monthly active users) and India is its largest market (270 million monthly active users). Provision 40(1) seemingly demands that the social network at the very least store a copy of Indian citizens’ data in India.
Meanwhile, Section 40(2) of the bill makes a distinction for what it refers to as “critical personal data”:
“The Central Government shall notify categories of personal data as critical personal data that shall only be processed in a server or data centre located in India”.
The bill doesn’t provide a working definition for the term “critical personal data”.
Facebook was recently criticized by officials in a motion for a resolution on the EU-US Privacy Shield over its decision to transfer the administration of its terms of conditions for non-EU users from Facebook Ireland to Facebook US.
The transfer, which took place a few weeks before the GDPR came into force, effectively ensured non-EU users would no longer benefit from the EU’s data protection legislation.