GDPR-Lite and Requiring Strengthening – Submission on the Draft 
<i>Personal Data Protection Bill</i> to the Ministry of Electronics and Information Technology (India)

Greenleaf, Graham

doi:10.2139/ssrn.3252286

Download This Paper

Open PDF in Browser

Add Paper to My Library

GDPR-Lite and Requiring Strengthening – Submission on the Draft Personal Data Protection Bill to the Ministry of Electronics and Information Technology (India)

UNSW Law Research Paper No. 18-83

14 Pages Posted: 20 Sep 2018 Last revised: 21 Nov 2018

See all articles by Graham Greenleaf

Graham Greenleaf

University of New South Wales, Faculty of Law

Date Written: September 20, 2018

Abstract

This submission concerns the draft Personal Data Protection Bill which accompanies the July 2018 Report of the Committee of Experts on Data Protection (‘Srikrishna Report’) appointed by the Indian government.

The submission makes five general comments about the Bill, on these topics:

1. The draft Bill is a serious and modern draft law, and should only be strengthened, not weakened by MeitY in preparing a Bill for submission to the legislature. The Indian government has compelling reasons to enact a Bill resembling this draft.

2. The Report and Bill both reflect a very different regulatory philosophy from the EU GDPR’s radical dispersal of decision-making responsibility (and liability for wrong decisions) to data controllers. The Indian model is more prescriptive, but a justifiable regulatory option, provided it does not include excessive discretion to the government or the Data Protection Authority.

3. The Bill's data localisation requirements adopt an unjustifiable generic approach to data localisation, through blanket local copy requirements (with exceptions to be specified by government), and export prohibitions also specified by government.

4. The very broad exemptions from most of the Act for processing in the interests of State security or relating to law enforcement, although purportedly constrained by legality, necessity and proportionality (are dangerously vague).

5. The lack of complete independence of the DPIA, and the lack of any legislatively guaranteed independence by the Adjudicating Officers, represent unsound policy in relation to bodies whose function is to regulate government as well as the private sector.

The submission also includes fifteen more specific recommendations for improvements to the Bill.

Keywords: India, data protection, privacy, GDPR, data localisation, adequacy, EU

Suggested Citation: Suggested Citation

Greenleaf, Graham, GDPR-Lite and Requiring Strengthening – Submission on the Draft Personal Data Protection Bill to the Ministry of Electronics and Information Technology (India) (September 20, 2018). UNSW Law Research Paper No. 18-83, Available at SSRN: https://ssrn.com/abstract=3252286 or http://dx.doi.org/10.2139/ssrn.3252286