GDPR-Lite and Requiring Strengthening – Submission on the Draft Personal Data Protection Bill to the Ministry of Electronics and Information Technology (India)

Abstract

This submission concerns the draft Personal Data Protection Bill which accompanies the July 2018 Report of the Committee of Experts on Data Protection (‘Srikrishna Report’) appointed by the Indian government. The submission makes five general comments about the Bill, on these topics: 1. The draft Bill is a serious and modern draft law, and should only be strengthened, not weakened by MeitY in preparing a Bill for submission to the legislature. The Indian government has compelling reasons to enact a Bill resembling this draft. 2. The Report and Bill both reflect a very different regulatory philosophy from the EU GDPR’s radical dispersal of decision-making responsibility (and liability for wrong decisions) to data controllers. The Indian model is more prescriptive, but a justifiable regulatory option, provided it does not include excessive discretion to the government or the Data Protection Authority. 3. The Bill's data localisation requirements adopt an unjustifiable generic approach to data localisation, through blanket local copy requirements (with exceptions to be specified by government), and export prohibitions also specified by government. 4. The very broad exemptions from most of the Act for processing in the interests of State security or relating to law enforcement, although purportedly constrained by legality, necessity and proportionality (are dangerously vague). 5. The lack of complete independence of the DPIA, and the lack of any legislatively guaranteed independence by the Adjudicating Officers, represent unsound policy in relation to bodies whose function is to regulate government as well as the private sector. The submission also includes fifteen more specific recommendations for improvements to the Bill.