Hard on the heels of Europe's General Data Protection Regulation (GDPR), India has come up with its draft Personal Data Protection Bill 2018.
The draft bill will cover jurisdiction over personal data collected and shared in India. It mainly relates to data collected by companies incorporated under Indian law. The bill also proposes setting up a Data Protection Authority of India (DPA) to ensure the law is properly implemented.
Broadly, the bill incorporates many accepted principles to guarantee privacy for citizens. It indicates that a notification must be sent to individuals before data can be collected from them. It also upholds the rights to confirmation, access, correction and data portability, as well as the right to "be forgotten." The norms for storing and processing personal data are covered, too. Under the bill, Indian businesses would have to store at least one copy of data on a server or data center located in India.
But there are various issues with the draft bill. Because it puts the onus of consent on the user, it is likely to be ineffective in many areas. More often than not, users do not have the time or understanding to go through lengthy, jargon-filled documents.
Possibly the biggest problem with the draft bill is that, unlike GDPR, it gives the state the right to process personal data without first obtaining consent from citizens. Section 13 of the draft bill says personal data can be processed "for the exercise of any function of the state" and without the consent of the individual as long as it is to provide a service or benefit to that individual. It does not define the government's liability to use an individual's data without his or her consent.
India faces a number of challenges where data protection of individuals is concerned. For a start, it was caught up in the Facebook/Cambridge Analytica data-harvesting scandal when it transpired that information on 600,000 Indians was shared, making India the sixth most affected country.
There is also concern about the security of the government's Aadhaar system, which provides every citizen with a 13-digit number linked to their bank account details and other government schemes. R.S. Sharma, the head of the Telecom Regulatory Authority of India, recently shared his Aadhaar number on Twitter to show he did not think it would not cause him any harm. Soon enough, Sharma's bank account, phone number and other personal details were made public. The episode ended up putting the focus on the data security aspect of Aadhaar.
Aadhaar has been shrouded in controversy since its inception and is at the center of a data protection debate in India. One journalist has claimed she was able to access the entire Aadhaar database after paying as little as 500 Indian rupees ($7.2). The draft bill recommends changes to Aadhaar to boost data protection.
Nevertheless, while there are undeniably issues with the draft bill, it represents a step in the right direction for India. Recent events emphasize the need for legal measures to protect citizens' data, especially as a growing number of Indians use Internet platforms for their financial activities.
— Gagandeep Kaur, contributing editor, special to Light Reading