Our Statement on the Cabinet Approval of the Personal Data Protection Bill, 2019
Today the Union Cabinet approved the Personal Data Protection Bill, 2019. The Government has proposed to introduce the Bill in the ongoing winter session of Parliament.
Our comments to the Justice Srikrishna Committee draft of the Bill can be accessed – here.
Comments submitted to the Justice Srikrishna Committee’s White Paper can be accessed – here.
Our expectations from the revised draft of the Personal Data Protection Bill, 2019:
We hope that the Government has removed the mandatory requirement of storing at least one copy of all personal data in India (mirroring requirement);
Narrowed the ambit and scope of critical personal data – which can only be stored in India; and
Revised the standards for cross-border transfer of personal data to make them less cumbersome.
Government Access to Data and Surveillance Reform
We hope that the Government has considered provisions for surveillance reform and provided for sufficient safeguards against State access to personal data (i.e. processing of personal data by the State without the consent of individuals).
In the current draft, the Government has been provided over-arching exceptions and exemptions to process personal data without requisite procedural safeguards or judicial oversight.
To read our comprehensive report on India’s surveillance laws, please click – here.
Independence of the Regulator
We hope that the Government has made appropriate changes to the regulatory structure proposed in the current version of the Bill i.e. the Data Protection Authority of India (“the DPA”) and the Adjudication Wing, to ensure the independence of these regulatory bodies.
In the current draft, the State has disproportionate control over the DPA and the Adjudication Wing, which will hamper effective enforcement of the law, specially when it applies to the Executive.
In line with the Government’s Pre-Legislative Consultation Policy, we request the Ministry of Electronics and Information Technology to release all comments as received by them in the round of public consultation on the earlier draft of the Bill. This will be in line with principles of transparency and will help all stakeholders comprehensively assess the changes proposed in the new version of the Bill.
(Check paragraph 6 of the Pre-Legislative Consultation Policy – here)
We believe that the Personal Data Protection Bill, 2019, due its complexity and wide import, must be referred to the Standing Committee on Information Technology post its introduction in either House of Parliament. This will also provide sufficient time to stakeholders to give their comments on the latest version of the Bill.