The draft Personal Data Protection Bill 2018, along with the Srikrishna Committee Report, lays the groundwork for key principles to be followed in protecting the individual's fundamental right of privacy. The draft Bill is progressive in that it advances the cause of maintaining privacy. The Bill defines personal data and expands the category beyond elements already defined in the IT Act. Personal data now includes passwords, financial data, health data, official identifier, sex life, sexual orientation, biometric data, genetic data, transgender status, intersex status, caste or tribe, and religious or political belief or affiliation. Importantly, location is still not considered sensitive. Data processing must be done in a “fair and reasonable” manner to safeguard privacy. The Bill states that only limited personal data should be collected for a clear, specific and lawful purpose, and individuals should be notified regarding the kind of data that has been collected. Data should be collected and processed only with explicit consent except in cases of the following broad exemptions.
But the Bill leaves multiple loopholes and contains broad exemptions that allow personal data to be collected, held and processed by the state, without consent. While the rights of correction, updating, and data portability are included in the draft, a key provision such as the right to be forgotten is confusingly outlined and there is no apparent right of deletion, or right to object to processing. The proposed Data Protection Authority would have the powers to decide if data breaches are to be disclosed at all to affected users, rather than such disclosures being made mandatory. In addition, no attempt has been made to curb surveillance; in fact, the provisions of data localisation could lead to greater surveillance. While the report recommends changes in the Aadhaar Act, the Bill itself doesn't touch upon this all-important area.
Apart from consent, data may be collected and processed for "functions of state", for compliance with legal orders, in the case of emergencies, employment-related purposes and "reasonable purposes of the data fiduciary". Functions of state are too broad and discretionary a category, and extensive case law will also be required to define "reasonable purpose". Aadhaar, for example, may be justified as non-consensual because it is a "function of state". The Bill mandates storing mirrors of all personal data within Indian territory and empowers the government to classify "critical personal data" and mandate its storage and processing exclusively in India. Two committee members have expressed dissent with this provision. It seems unsatisfactory for several reasons.
The infrastructure to do this efficiently is lacking in terms of current server-cloud capacity and fast broadband. It will also add to the expense of holding and processing data. In conjunction with the "functions of state" clause, mandatory data localisation could lead to intensified surveillance by agencies, which continue to operate under blanket exemption of “functions of state”. It is a pity that the consultative process was opaque, with submissions to the committee kept confidential. Unlike with most draft Bills, there is no apparent provision for feedback from stakeholders after the release of the draft. As a result, these areas of serious concern may not be addressed before the Bill is signed into law. The draft makes a beginning in terms of affording data protection to citizens but it doesn't come anywhere close to emulating model laws such as the European Union’s General Data Protection Regulation.