{"id":1450,"date":"2018-07-27T14:20:08","date_gmt":"2018-07-27T22:20:08","guid":{"rendered":"https:\/\/blog.mozilla.org\/netpolicy\/?p=1450"},"modified":"2018-07-29T22:28:16","modified_gmt":"2018-07-30T06:28:16","slug":"indian-draft-data-protection-bill","status":"publish","type":"post","link":"https:\/\/blog.mozilla.org\/netpolicy\/2018\/07\/27\/indian-draft-data-protection-bill\/","title":{"rendered":"Mozilla weighs in on India\u2019s draft data protection bill"},"content":{"rendered":"

Yesterday, on July 27th, 2018, the Justice Srikrishna Committee of Experts, set up by the Government of India, made public its final report and the draft of India\u2019s first comprehensive data protection law. We have long argued that the enactment of a baseline data protection law should be a national policy priority for India, and we\u2019re pleased to see India take an important step forward towards enacting real privacy protections.<\/p>\n

The legislation is groundbreaking in several respects, codifying principles and enforcement mechanisms that Mozilla has advocated<\/a> are foundational to a robust data protection framework. But the law is not without loopholes, many of which threaten to dislodge these strong foundations.<\/p>\n

Mozilla Chairwoman Mitchell Baker observed: \u201cIndia\u2019s data protection law will shape the relationship between users and the companies and government entities they entrust with their data. This draft bill is a strong start, but to truly protect the privacy of all Indians, we can\u2019t afford loopholes such as the bill\u2019s broad exceptions for government use of data and data localization requirements. Mozilla will continue to advocate for changes; with this bill, India has the opportunity to be a model to the world.\u201d<\/p>\n

As this bill makes its way to law, an open and consultative process is essential. We will continue to advocate to the Government to make necessary changes in the bill.<\/p>\n

Top level highlights from the bill include:<\/p>\n

    \n
  1. Obligations – <\/b>Strong obligations that apply to both private companies and the government, including purpose limitation, collection limitation, data security, documentation, and a general duty to process data in a way that\u2019s \u201cfair and reasonable\u201d and \u201crespects the privacy\u201d of the person. This law applies to Indian residents\u2019 data wherever it may be processed.<\/li>\n
  2. The Data Protection Authority – <\/b>Creation of an independent Data Protection Authority with expansive powers including investigatory, adjudicatory, and punitive powers, as well as a separate Adjudicating Officer to take complaints, impose penalties, and mete out compensation to individuals. However, <\/b>the independence of the adjudicatory authority and appellate tribunal responsible for legal proceedings related to data protection violations is severely lacking. The qualifications and nominations of those serving in these bodies are entirely prescribed by the government, as are the procedures of the bodies themselves. The system as it currently stands has far too much delegated authority to the Central Government. The power of setting qualifications and procedures and nominating individuals to serve in the adjudicatory authority and appellate tribunal should be reserved for the DPA, which operates independently of the government.<\/li>\n
  3. High standard for consent<\/b> – For consent to be valid it must be free, informed, specific, clear, and capable of being withdrawn. This sets a high bar for companies seeking to validate their actions on the basis of consent. \u201cExplicit consent\u201d is required for processing of sensitive data.<\/li>\n
  4. Grounds for Processing – <\/b>The bill allows for data processing for “reasonable purposes”. While similar in intent to the GDPR\u2019s “legitimate interest” ground, the bill limits the potential for abuse by providing conditions on the basis of which data may be processed, as well as an illustrative list of categories that fulfil these conditions. We think this is an improvement on the GDPR standard, which as we noted in our submission, can \u201ceasily be abused by companies\u201d who may argue that \u201cinnovation\u201d itself is always a reasonable pursuit, even where it may put the privacy of users at risk.<\/li>\n
  5. Biometric Data – <\/b>Biometric data and the Aadhaar identification number are included in the definition of sensitive personal data which comes with stricter obligations. The bill includes a generally inclusive and progressive list of sensitive personal data including data related to religious or political belief, sexuality, transgender, and intersex status. Section 106 bars processing certain forms of biometric data as determined by the Central Government, unless the processing is explicitly permitted by law. This provision could be used to curtail the lax limitations on the handling of Aadhaar data.<\/li>\n
  6. Individual Rights – <\/b>Individuals are provided comprehensive rights of correction, updation, and data portability. However<\/b>, rights to deletion and to object to processing, which are guaranteed by other data protection laws around the world including the EU\u2019s GDPR, are notably missing. Users may have to pay for certain rights, which could entrench existing inequalities and create haves and have-nots for privacy.<\/li>\n
  7. Data Processing for Security – <\/b>Data processing for security, intelligence, and law enforcement purposes must be \u201cnecessary and proportionate\u201d, and must be authorised by a law passed by Parliament. While a quick reading of this bill might look like there are exceptions for \u201csecurity of state\u201d data processing and the potential for mass surveillance, Section 42.1 actually provides substantive protections. For the number of intelligence and security agencies that currently operate in a legal vacuum, this bill would necessitate regulation, and one that meets the standards of \u201cnecessary and proportionate\u201d. The \u201cnecessary and proportionate\u201d standard is a critical part of international human rights law around surveillance, as well as the Puttaswamy<\/i> judgement, and prevents this bill from ushering in mass surveillance. Section 42.1, if enacted, will necessitate a public debate about the appropriate limits of Indian government surveillance — data processing for security, intelligence, and law enforcement purposes cannot happen in the absence of such a debate and subsequent law.<\/li>\n
  8. Cross-border Data Transfer – <\/b>Cross-border data transfer is made possible through a variety of means, but rejects consent alone as sufficient for transfer, and conditions transfers on having a high level of data protection in place.<\/li>\n<\/ol>\n

    Some Particularly Worrying Provisions<\/b><\/p>\n

      \n
    1. Data Localization – <\/b>A copy of all personal data is required to be stored in India. As we have argued, data localization is bad for business, users, and security<\/a>. Notwithstanding the protections on processing in the interest of the security of the state, it\u2019s hard to see that this provision is anything but a proxy for enabling surveillance.<\/li>\n
    2. Government Data Processing – <\/b>A large swathe of government data processing activities for both sensitive and non-sensitive data, including for the provision of any service or benefit to a data principal, is exempt from the requirement of obtaining consent. However, <\/b>the government needs to show that any processing of personal data is \u201cnecessary\u201d and processing of sensitive personal data is \u201cstrictly necessary\u201d for the exercise of any function of the State authorised by law for the provision of service or benefit. This means that the government must prove that processing data such as workplace, address, or phone number is \u201cnecessary\u201d and processing data such as passwords, financial data, and biometric data is \u201cstrictly necessary\u201d for any function that would provide a service or benefit. There is no necessity standard for government processing of non-personal data.<\/li>\n<\/ol>\n

       <\/p>\n","protected":false},"excerpt":{"rendered":"

      Yesterday, on July 27th, 2018, the Justice Srikrishna Committee of Experts, set up by the Government of India, made public its final report and the draft of India\u2019s first comprehensive … Read more<\/a><\/p>\n","protected":false},"author":1570,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[283226,10137],"tags":[],"coauthors":[318936,290387,318935],"yoast_head":"\nMozilla weighs in on India\u2019s draft data protection bill - Open Policy & Advocacy<\/title>\n<meta name=\"description\" content=\"Yesterday, the Justice Srikrishna Committee of Experts, set up by the Government of India, made public its final report and the draft of India\u2019s first comprehensive data protection law.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/blog.mozilla.org\/netpolicy\/2018\/07\/27\/indian-draft-data-protection-bill\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Amba Kak, Jochai Ben-Avie, Naomi Shiffman\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"6 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/blog.mozilla.org\/netpolicy\/2018\/07\/27\/indian-draft-data-protection-bill\/\",\"url\":\"https:\/\/blog.mozilla.org\/netpolicy\/2018\/07\/27\/indian-draft-data-protection-bill\/\",\"name\":\"Mozilla weighs in on India\u2019s draft data protection bill - Open Policy & Advocacy\",\"isPartOf\":{\"@id\":\"https:\/\/blog.mozilla.org\/netpolicy\/#website\"},\"datePublished\":\"2018-07-27T22:20:08+00:00\",\"dateModified\":\"2018-07-30T06:28:16+00:00\",\"author\":{\"@id\":\"https:\/\/blog.mozilla.org\/netpolicy\/#\/schema\/person\/e1bb413b6aa71db44fb80d09212bc7a4\"},\"description\":\"Yesterday, the Justice Srikrishna Committee of Experts, set up by the Government of India, made public its final report and the draft of India\u2019s first comprehensive data protection law.\",\"breadcrumb\":{\"@id\":\"https:\/\/blog.mozilla.org\/netpolicy\/2018\/07\/27\/indian-draft-data-protection-bill\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/blog.mozilla.org\/netpolicy\/2018\/07\/27\/indian-draft-data-protection-bill\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/blog.mozilla.org\/netpolicy\/2018\/07\/27\/indian-draft-data-protection-bill\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/blog.mozilla.org\/netpolicy\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Mozilla weighs in on India\u2019s draft data protection bill\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/blog.mozilla.org\/netpolicy\/#website\",\"url\":\"https:\/\/blog.mozilla.org\/netpolicy\/\",\"name\":\"Open Policy & Advocacy\",\"description\":\"Mozilla's official blog on open Internet policy initiatives and developments\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/blog.mozilla.org\/netpolicy\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/blog.mozilla.org\/netpolicy\/#\/schema\/person\/e1bb413b6aa71db44fb80d09212bc7a4\",\"name\":\"Amba Kak\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.mozilla.org\/netpolicy\/#\/schema\/person\/image\/91cf773f2e4ece9b94c32f3018ee6f26\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/4a71d2e0be0a90a7889819b02502a99f?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/4a71d2e0be0a90a7889819b02502a99f?s=96&d=mm&r=g\",\"caption\":\"Amba Kak\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Mozilla weighs in on India\u2019s draft data protection bill - Open Policy & Advocacy","description":"Yesterday, the Justice Srikrishna Committee of Experts, set up by the Government of India, made public its final report and the draft of India\u2019s first comprehensive data protection law.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/blog.mozilla.org\/netpolicy\/2018\/07\/27\/indian-draft-data-protection-bill\/","twitter_misc":{"Written by":"Amba Kak, Jochai Ben-Avie, Naomi Shiffman","Est. reading time":"6 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/blog.mozilla.org\/netpolicy\/2018\/07\/27\/indian-draft-data-protection-bill\/","url":"https:\/\/blog.mozilla.org\/netpolicy\/2018\/07\/27\/indian-draft-data-protection-bill\/","name":"Mozilla weighs in on India\u2019s draft data protection bill - Open Policy & Advocacy","isPartOf":{"@id":"https:\/\/blog.mozilla.org\/netpolicy\/#website"},"datePublished":"2018-07-27T22:20:08+00:00","dateModified":"2018-07-30T06:28:16+00:00","author":{"@id":"https:\/\/blog.mozilla.org\/netpolicy\/#\/schema\/person\/e1bb413b6aa71db44fb80d09212bc7a4"},"description":"Yesterday, the Justice Srikrishna Committee of Experts, set up by the Government of India, made public its final report and the draft of India\u2019s first comprehensive data protection law.","breadcrumb":{"@id":"https:\/\/blog.mozilla.org\/netpolicy\/2018\/07\/27\/indian-draft-data-protection-bill\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/blog.mozilla.org\/netpolicy\/2018\/07\/27\/indian-draft-data-protection-bill\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/blog.mozilla.org\/netpolicy\/2018\/07\/27\/indian-draft-data-protection-bill\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/blog.mozilla.org\/netpolicy\/"},{"@type":"ListItem","position":2,"name":"Mozilla weighs in on India\u2019s draft data protection bill"}]},{"@type":"WebSite","@id":"https:\/\/blog.mozilla.org\/netpolicy\/#website","url":"https:\/\/blog.mozilla.org\/netpolicy\/","name":"Open Policy & Advocacy","description":"Mozilla's official blog on open Internet policy initiatives and developments","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/blog.mozilla.org\/netpolicy\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/blog.mozilla.org\/netpolicy\/#\/schema\/person\/e1bb413b6aa71db44fb80d09212bc7a4","name":"Amba Kak","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.mozilla.org\/netpolicy\/#\/schema\/person\/image\/91cf773f2e4ece9b94c32f3018ee6f26","url":"https:\/\/secure.gravatar.com\/avatar\/4a71d2e0be0a90a7889819b02502a99f?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/4a71d2e0be0a90a7889819b02502a99f?s=96&d=mm&r=g","caption":"Amba Kak"}}]}},"_links":{"self":[{"href":"https:\/\/blog.mozilla.org\/netpolicy\/wp-json\/wp\/v2\/posts\/1450"}],"collection":[{"href":"https:\/\/blog.mozilla.org\/netpolicy\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.mozilla.org\/netpolicy\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/netpolicy\/wp-json\/wp\/v2\/users\/1570"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/netpolicy\/wp-json\/wp\/v2\/comments?post=1450"}],"version-history":[{"count":0,"href":"https:\/\/blog.mozilla.org\/netpolicy\/wp-json\/wp\/v2\/posts\/1450\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.mozilla.org\/netpolicy\/wp-json\/wp\/v2\/media?parent=1450"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.mozilla.org\/netpolicy\/wp-json\/wp\/v2\/categories?post=1450"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.mozilla.org\/netpolicy\/wp-json\/wp\/v2\/tags?post=1450"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/blog.mozilla.org\/netpolicy\/wp-json\/wp\/v2\/coauthors?post=1450"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}