India’s Personal Data Protection Bill, 2019 Needs Closer Adherence to Global Standards (Submission to Joint Committee, Parliament of India)
13 Pages Posted: 16 Mar 2020
Date Written: February 12, 2020
This is a submission to the Joint Committee on The Personal Data Protection Bill, 2019 of the Parliament of India, which has invited submissions from the public. The submission argues that a stronger Bill is needed if the Indian government is to have reasonable prospects both to protect legislation and practices on which government programs depend against unconstitutionality, and in order to maximize India’s prospects of obtaining a positive ‘adequacy assessment’ from the European Union under the GDPR. The submission also argues that there are many aspects of the Bill which fall far short of the accepted international benchmarks for a high quality data privacy law.
The submission argues that areas which need improvement in the government’s Bill include:
(i) Data principals, and NGOs representing them, are given too little ability to enforce the law, both in the courts, and before the DPAI and its AOs. It must be clear that data principals can enforce, and seek remedies for, any breaches of obligations by data fiduciaries, as well as for any breaches of explicit rights of data principals. Breaches of rights and obligations should be treated alike.
(ii) The guarantees of independence of the DPAI and its AOs are not strong enough.
(iii) State powers to exempt government agencies from the law are too strong.
(iv) The DPAI has too broad a discretion to authorise new grounds of non-consensual processing of personal data.
(v) Obligations of data fiduciaries to give Data Breach Notifications, to both the DPAI and to data principals, should be stated as objective criteria.
(vi) The rights of data principals are too weak, in relation to both rights to withdraw consent, and access rights.
(vii) Requirements of ‘harm’ before some obligations/rights apply are inappropriate. ‘Harm’ should also be better defined.
(viii) The ‘outsourcing exemption’ for data on foreigners being processed in India defeats India’s aspiration to be a global leader in ethical data protection.
(ix) A number of aspects of the Bill concern non-personal data, including anonymisation of personal data, deserve further consideration.
(x) The Bill’s provisions concerning data localisation, including data export restrictions, give the government and the DPAI a great deal of discretionary control, with few legislative constraints, and few guarantees that discretions will be exercised to benefit the privacy of data principals. These broad discretions may cause unnecessary problems, and a more legally constrained approach may be better. For clarity, there is a need to amend s. 34(1) in relation to the number of bases for data exports.
Keywords: privacy, data protection, India, data localisation
Suggested Citation: Suggested Citation