India is following the footsteps of the European Union and is likely to soon have a legislation which limits the control which tech companies enjoy on the user data stored and “harvested” by them. A committee headed by Supreme Court justice BN Srikrishna has presented a draft of the bill which protects the privacy rights of digital users in India.
Dubbed “Personal Data Protection Bill, 2018” by the Srikrishna committee, the bill is analogous to EU’s recently-implemented GDPR regulations and puts the users’ consent at its center. The bill is designed to tackle the exploitation of user data for financial benefits, especially when it is without the consent or even the information of users.
Fine of Rs. 15 Crores for Violation
As per the 213-page draft bill, the regulation will put acts like the collection and processing of large volumes of user data using new technologies under the category of “significant data fiduciary”. The companies violating this clause or misusing their monopoly on users’ data for monetary benefits will earn a fine of Rs. 15 crores (~$2.2 million) or 4 percent of the global revenue.
Which instances of data fall under the “categories of sensitive personal data which are critical to the nation” will be decided by the government after rigorous assessment in the Parliament. As a result, companies will have to undergo frequent audits for compliance with the regulations.
Right to be Forgotten
The regulation also introduces the concept of “right to be forgotten” which means that companies will have to remove the data of users from their databases if the user requests so. It also mandates that any sort of processing of data will have to take place on servers located in India and not sent out of the country.
But, No Regulations for Government-Backed Offenders
However, one key area in which the draft bill defaults is that it does not give citizens absolute control over their data and will allow the government to sift through private information on the grounds of national security. Moreover, it only holds private companies accountable for loss or abuse of data and does not put any onus on the lack of security on critical databases such as that of UIDAI.
Loopholes to be Addressed
Moreover, Nikhil Pahwa of MediaNama also claims that these penalties are tiny compared to global standards, especially in sight of the monumental $5 billion fine levied by the EU on Google for misuse of its monopoly among Android users. The draft bill also omits throwing much light on accountability of data and one example of this is the absence of mandatory provisions to inform users when a data breach occurs.
This draft bill which talks about the protection of private data in India lacks some critical aspects and puts the rights of the government on user data ahead of the rights of the citizens themselves. In its present state, the law appears to be a crafty attempt at ensuring data privacy and more like an attempt to grant the government totalitarian-ish control over the citizens’ digital lives – something similar to what exists in China.
While there is no certainty, it is possible that the regulation is coherent with the government’s plans to create a digital surveillance tool aimed at slapping a feeling of patriotism. We believe that the government should spend more efforts consulting international experts to create a solid law which is democratic in all its aspects, not just its appearance.