In the midst of a raging debate in India and abroad over data privacy, the most awaited and delayed report on data protection by the Srikrishna committee has delivered a whimper. For one, the report - The Personal Data Protection Bill 2018 - has totally ignored the Trai recommendation that ownership of data must rest with the individual. Everybody else is a mere custodian of that data. Instead, who owns the data of the individuals is a question not answered by the Srikrishna Committee.
Here are a few other shortcomings:
NO RIGHT TO BE FORGOTTEN
Globally, the right to be forgotten refers to the right to erase data. Srikrishna panel, however, has invented a new definition instead. It says "...data principal shall have the right to restrict or prevent continuing disclosure of personal data by a data fiduciary related to the data principal where such disclosure-has served the purpose for which it was made or is no longer necessary; was made on the basis of consent...and such consent has since been withdrawn; was made contrary to the provisions of this Act or any other law made by Parliament or any State Legislature."
This essentially implies that the data collector or processor will only be required to restrict or stop sharing data rather than erase it.
If your data is breached, worldwide the breach is required to be reported to the subject of the breach (the person whose data has been breached) instantly. Sri Krishna Committee in its wisdom recommends that such a breach must first be reported to the Authority. It is an outrageous suggestion. It is the authority that will decide whether the person whose data has been breached needs to be informed or not: "Upon receipt of notification, the Authority shall determine whether such breach should be reported by the data fiduciary to the data principal, taking into account the severity of the harm that may be caused to such data principal or whether some action is required on the part of the data principal to mitigate such harm," says the report.
"Where the data principal withdraws consent for the processing of any personal data necessary for the performance of a contract to which the data principal is a party, all legal consequences for the effects of such withdrawal shall be borne by the data principal," the report says. That individuals will be liable when they withdraw their consent is an outlandish clause. By implication it means the individual has no right over his or her data. This is also a clause that will be misused widely by inserting the conditions of a contract in fineprint and then invoking it at the time when the individual wishes to withdraw consent. Such a clause has no locus standi and must be struck off.
THE LOCAL STORAGE LOOPHOLE
Propriety demands that data on Indians must be stored within India's geographical expanse and within the jurisdiction of Indian laws. Over 80 countries have mandated this. India isn't one of those. Data residing in foreign shores is governed by their local laws and can be blocked by a foreign entity or individual, preventing legitimate access to Indian authorities. And though Srikrishna Committee recommends data on Indians to be stored in India, it has left a loophole: "Every data fiduciary shall ensure the storage, on a server or data centre located in India, of at least one serving copy of personal data to which this Act applies." This implies that while a copy is stored in India, the data may actually reside in another nation which gives rise to its own set of complications, including accessing it even if Indian authorities require it.
WHY SO LENIENT?
Srikrishna Committee's penal provisions appear to have been inspired by the European GDPR (General Data Protection Regulation) and have identical two-stage process. "Whereis the data fiduciary contravenes any of the following provisions, it shall be liable to a penalty which may extend up to five crore rupees or two per cent of its total worldwide turnover of the preceding financial year, whichever is higher, as applicable," it says.
Lesser violations involve a fine or a maximum penalty of 2 per cent of global turnover of the preceding year (whichever is higher) while graver violations invite a fine or a maximum penalty of 4 per cent of global turnover. The Bill has recommended 5 crore or 2 per cent (whichever is higher) and also 15 crore or 4 per cent, respectively, for lesser and graver contravention. Given the general size of companies involved run billions of dollars in revenue, these penalties are not deterrent enough. Violations need to be penalised prohibitively and not generously. Unlike Srikrishna panel's recommendation, besides the GDPR the EU law provides for a maximum fine of up to 10 per cent of global turnover.
And while the Bill rightly recommends setting up the Data Protection Authority of India, the Appellate Tribunal as well as data protection officers, it appears the report has laid far greater emphasis on the architecture of the data protection framework than on data privacy and protection itself. After all, more than half of the 62-page report is dedicated to the governance architecture.
The report appears to be a massive patchwork of laws collated from across the world adopted for Indian conditions. Devoid of new ideas, it has lax and lenient clauses and is a missed opportunity of creating a path-breaking law. Centre must reject it and adopt the Trai recommendations instead for a stringent law on data privacy and protection that is the need of the hour. Time is of essence. Setting up another panel is not an option any more.