India's Data Protection Bill 2.0: What Works, What Doesn'tThree experts describe areas where the bill can be improved
India's current Data Protection draft bill is a sea change from its earlier version. What works in the new bill and what does not work? Three experts - Justice Srikrishna, former justice, the Supreme Court of India, who headed up the earlier draft of the bill; Khushbu Jain, advocate the Supreme Court of India and Rahul Sharma, founder the Perspective, a privacy consultation firm – share their views on the practical implementation of some of the requirements of the bill.
See Also: The CISO's Response Plan After a Breach
“I am surprised that the bill states that the government can be exempted from any provision, government companies can be exempted from the scope of the bill. So your fundamental right is at the mercy of some executive who will pass an order and say he is exempted. Moreover, here the regulator is not an independent body. I am surprised that at every stage they have slowly vetted away whatever little rights individuals had in the previous version,” says Srikrishna.
For Sharma, the current draft bill is simple and not complex, but he says it has been created in a hurried manner. “This bill tries to reduce some of the complexities. It is more simple in drafting. However, in the larger context, it takes away the focus from putting users or data principals’ privacy rights at the center and then drafting the bill accordingly. This comes across as more progressive and has less burden on stakeholders.”
Jain says that to achieve simplicity, the bill has left many things vague. “There are many definitions which have been kept vague, exemptions by the government is also vague. Even on penalties, you are not making it clear.” Jain suggests that when it comes to penalties it is not fair for an Indian startup to pay the same amount as tech giants such as Google.
In a discussion with Information Security Media Group, the panelists also consider:
- The practical challenges of implementing the bill;
- The areas where the bill works;
- What more needs to be done.
Jain is a practicing advocate before the Supreme Court of India and founding partner ARK Legal. She is also a public speaker, skills trainer, opinion column writer and a frequent guest on national television. She specializes in business litigation and handles legal matters around information technology.
Srikrishna is a retired judge of the Supreme Court of India. He was appointed chairperson of the Data Protection Committee that proposed a data protection framework for India. He also serves as chairperson of the Advisory Committee on Individual Insolvency & Bankruptcy.
Sharma is the founder of The Perspective, a consultancy specializing in data policy and privacy. He has more than a decade of experience working in technology, public policy, cybersecurity and privacy.