The draft Personal Data Protection bill that was released to the public a few months ago is groundbreaking in many ways, but it contains serious loopholes which need to be fixed.
The bad
- Government use of data & surveillance: Even though the Bill has strong requirements on private companies, it has very weak protections when it comes to government’s use of data and surveillance agencies.
- Missing rights: The Bill is missing the key right to object to processing of data which is especially concerning since the government isn't required to ask for consent. The bill also allows users to be charged a fee for changing or correcting their data.
- Independence of regulator: This bill creates an authority to investigate and fine companies and the government if they put our data and privacy at risk. However, this body has not been made sufficiently independent from the government. This needs to change for the law to effectively regulate government agencies.
- Blanket data localization: This bill requires a copy of all personal data to be stored on servers in India. This would be bad for users, security, and businesses, and could be a way to enable easier surveillance.
The good
The bill also has many good provisions that protect our privacy. These should not be eroded. These include:
- Strong obligations:
This bill puts limits on what companies and the government can do with your data - how much they collect, what they use it for, how they keep it safe. - Data Protection Authority:
This bill creates an authority that will be empowered to investigate and fine companies and the government if they put our data and privacy at risk. It is also their duty to take requests and complaints from individuals, and grant compensation for privacy violations. However, the government has too much discretion in deciding who this body will be - If the body is not sufficiently independent, how will it effectively regulate government agencies? - Consent:
This bill defines and puts in place meaningful consent - which means that the long tedious ‘privacy policy’ you’ve had to blindly accept will have to change to be easier to understand and give you a meaningful choice. - Biometric Data:
This bill states that biometric data and the Aadhaar number are “sensitive personal data” which means that in order for this data to be collected, processed etc, there are stricter obligations in place. - No exceptions for agencies:
This bill will ensure that data processing by security, intelligence, and law enforcement agencies will now have to be scrutinized and limited by law.