The draft data protection bill, as submitted by the B.N. Srikrishna committee, falls short of laying data security standards, say experts
New Delhi: India’s first data protection bill has fallen short of laying guidelines for data security standards, will increase costs for companies which will have to store a copy of user’s personal data in the country and does not clearly define the government’s accountability when it processes personal data of users without their consent, experts argued.
After a year of deliberations, the 10-member justice Srikrishna committee on Friday submitted to the government The Personal Data Protection bill, 2018, and a report on the framework for data security in the country. The report has outlined the need for a user’s free, informed, specific and clear consent for processing his/her data; rights and obligations of data fiduciaries; norms for storing personal and critical data, and penalties for violation of the proposed law.
“The bill is good at its core but needs further enhancements to make it more robust. The industry needs clarity on what kind of security standards should be followed by the data fiduciary. For example, payment companies which deal with financial data follow PCI-DSS (Payment Card Industry Data Security Standard) and health firms follow HIPPA (Health Insurance Portability and Accountability Act) globally," said Nitin Bhatnagar, associate vice-president at SISA Information Security.
While security standards needed for handling data have not been outlined, the industry is also worried about the additional costs it will have to incur given the bill proposes that companies ensure the storage, on a server or data centre located in India, of at least one copy of personal data.
“Keeping a copy in India does not really guarantee against breach of security or privacy," said Rama Vedashree, CEO, Data Security Council of India. “There have been cases of government beneficiaries’ data residing on servers in India being published, going against Aadhaar Act. There is no evidence that data localisation leads to better privacy and security of data. Moreover, we need to scale our data centre industry first," said Vedashree, who was a member of the Srikrishna committee, and also raised a dissent note in the report on this issue.
To be sure, India’s draft data protection bill is less harsh on companies compared with the European Union’s (EU’s) General Data Protection Regulation (GDPR) which mandates that every EU citizen’s data be stored within the EU. The first quarter earnings of Facebook has showed signs of slowing growth, missing analysts’ estimates, as Europe’s implementation of strict new data laws have led to fewer daily visitors from that region. Twitter too has forecast a drop in monthly visitors.
“EU GDPR was an over-reach. The Indian law seems a bit more rational and gets the balance right between the rights of the individual and the public good that comes from the digital economy. Having said that, the clauses on processing of data on reasonable grounds should have been less vague and the bill should have defined some accountability on part of the government when it processes personal data of the users without consent," Suneeth Katarki, Partner, IndusLaw, said.
While the bill lays down user’s consent as a prerequisite for data processing, it has proposed the state be exempt from this condition and that welfare functions of the state will be recognised as a separate ground for processing. Processing activities carried out by the state under law will be covered under this ground, ensuring that it is in furtherance of public interest and governance, the committee’s report said.
Vedashree, however, believes that some exemptions have to be given for national and health emergencies, and there are checks and balances in the proposed law. “There should not be unnecessary worries on this matter. The fact that both state, corporates and all government bodies have to conform to data protection is a great step forward," she said.
In cases of violation of the proposed law, the report clearly lays down the size of penalty and even jail time for offenders, but enforcement could become a challenge as it says that breach should be reported to the data protection authority “as soon as possible".
“The bill needs to precisely define the time frame for periodic review and frequency of data security audit of companies as well as the time frame for reporting of personal data breach at the fiduciary’s end. For effective enforcement of the Act, above guidelines are required to be clearly laid out," Bhatnagar said.