While the draft Bill for protection of personal data of Indian citizens has been welcomed as a positive start, it is not without loopholes, according to various stakeholders who have called for an in-depth consultative process before the Bill becomes a law.
An expert panel headed by Justice B.N. Srikrishna, on Friday, submitted its report on data protection as well as the draft ‘The Personal Data Protection Bill, 2018’ after a year-long consultation process.
“This draft bill is a strong start, but to truly protect the privacy of all Indians, we can’t afford loopholes such as the Bill’s broad exceptions for government use of data and data localisation requirements,” said Mitchell Baker, chairwoman of Mozilla – the company behind Firefox browsers.
Mishi Choudhary, managing partner at MCA, emphasised that the Bill in its current form should not be introduced in Parliament and further consultations must take place. She pointed out that the recommendations make every offence cognisable and non-bailable which just creates more hurdles for businesses and individuals.
‘Proxy surveillance’
In a blog, Mozilla argued that data localisation is bad for business, users and security. “Notwithstanding the protections on processing in the interest of the security of the state, it’s hard to see that this provision is anything but a proxy for enabling surveillance,” it said.
The National Association of Software and Services Companies pointed out policies that govern data protection, storage and classification need to be carefully crafted given the global footprint of the IT-BPM sector. “Mandating localisation of all personal data…is likely to become a trade barrier in the key markets,” it said.
A member of the expert panel, Rama Vedashree, the CEO of Data Security Council of India set up by Nasscom, has termed the data localisation requirement as “not only regressive but against the fundamental tenets of our liberal economy.” Her dissent note is part of the report submitted.
Likewise, another committee member Prof. Rishikesha T. Krishnan, director, IIM, Indore, in his dissent note has said, “The requirement that every data fiduciary should store one live, serving copy of personal data in India is against the basic philosophy of the Internet and imposes additional costs on data fiduciaries without a proportional benefit in advancing the cause of data protection.”