Ministry of Electronics and Information Technology (MeitY)
Room No. 4016, Electronics Niketan,
6 CGO Complex, CGO Complex,
New Delhi – 110 003
Online submission form: http://meity.gov.in/content/data-protection-bill-feedback
29 September 2018
Subject: Consultation on the Personal Data Protection Bill 2018
We have read with great interest the recent publication by your Ministry of the report and draft Personal Data Protection Bill (hereafter the "draft law") submitted by the Committee of Experts on Data Protection chaired by Justice B.N. Srikrishna.
As you know, we have followed the progress of data protection reform in India closely over the past year, and in January have participated to the consultation on the White Paper on Data Protection Framework for India. Given the significant data flows from the EU to India and the territorial scope of application of the draft law which will also cover foreign operators under certain conditions, the outcome of this reform process is of direct relevance to us.
We want to congratulate the Committee lead by Justice B.N. Srikrishna on the impressive result of its rigorous work. We would also like to commend the open and inclusive consultation process organised by the Indian authorities. The report and draft law confirm that privacy is an area where the EU and India share common values and interests.
Building on these shared values, to increase convergence between our systems could bring very significant benefits to our economies. This would in particular facilitate trade flows which increasingly rely on personal data transfers, while ensuring a high level of protection of the data exchanged between India and the EU.
The report and draft law proposed by the Committee lay the ground for an Indian data protection system characterised by the four key elements of a modern data protection regime: an overarching ("horizontal") law rather than sectoral rules; a core set of data protection principles; an empowerment of individuals with rights to control their data; and finally, the creation of an independent supervisory authority with effective powers to ensure the enforcement of those rules.
With the new law in place, India would be joining the growing trend of global convergence in this area. This is certainly true for the Asia-Pacific area, where countries like Japan, Korea or New Zealand have put in place data protection laws based on these principles, but also in many other regions of the world such as, for example, Latin America where Brazil passed its own law in August this year and Chile has recently announced the setting up of an independent data protection authority, while Argentina is currently reforming its privacy legislation. As a leading world economy and the world’s largest democracy, India's endorsement of a high level of data protection would constitute a critical example at a moment where there is an increasing demand for international standards on privacy.
Importantly, if adopted, the law would certainly contribute to facilitating data flows between the EU and India, and could open the way for a possible adequacy dialogue.
Based on our recent experience with reforming our data protection regime (including through a similar consultation process), and in full respect of India's sovereign decision-making process, we would like to offer the following general observations and comments on the draft law for your consideration:
To effectively play its role, it is essential that such Authority acts with complete independence and impartiality in performing its duties and exercising its powers, free from any external influence. While the draft law highlights this aspect for the Adjudicating Officers, we did not find a clear statement in this regard for the DPA as such. Similarly, the articles concerning the Appellate Tribunal could benefit from further clarifications as regards the qualifications, terms and conditions of appointments, grounds for removal, etc. of its members, as it is the case for the Data Protection Authority.
Moreover, any suggestion that the Authority could be influenced by the Central Government through "directions" or any other decisions regarding, for example, human or financial resources, could undermine its legitimacy, effectiveness and authority. In this regard, the provision in the draft law according to which "[t]he Central Government may, from time to time, issue to the Authority such directions as it may think necessary in the interest of the sovereignty and integrity of India, the security of the State, friendly relations with foreign States or public order" might raise questions. The Authority would indeed be "bound" by these "directions on questions of policy". Moreover, as these "directions" shall be "final", they would according to the draft law not be subject to judicial review. The power given to the Central Government to issue binding instructions to the Authority based on such general considerations as the "integrity of India" or "public order" could put at risk the very independence of the Authority.
Also, the provision that prescribes that "the Central Government may, after due appropriation by Parliament by law in this behalf, make to the authority grants of such sums of money as it thinks fit for the purposes of this Act" could be interpreted as granting the Government broad discretion to determine the budgetary allocations to the Authority. In this respect, might be useful to clarify that the Authority must have in any case the financial resources necessary to accomplish its mission effectively and in full independence.
Lastly, Section 100 of the draft law seems to suggest that neither individuals nor business operators would be able to challenge any action by the Authority as long as the latter has acted in "good faith". While independence from the Executive is crucial, this appears to eliminate an important element of judicial control over the conduct of the Authority.
Pursuant to the Bill, for instance, data processing operations in the field of law enforcement and national intelligence would not be required to comply with obligations concerning, inter alia, purpose limitation, collection limitation, lawful processing, notice, data quality, data storage limitation, or accountability, nor to be grounded in explicit legal bases outside of a general requirement to satisfy the requirements of legality, necessity and proportionality. Such processing operations by the State would not require data principals to be afforded access or other rights, nor must they comply with transparency and accountability measures, outside of the application of security safeguards.
A more balanced approach might be to provide for mechanisms and processes to reconcile these objectives with the right to data protection in individual cases. In our experience, high data protection standards and effective law enforcement and security operations are not mutually exclusive but can – and actually should – go hand in hand. Such standards contribute to legal certainty, by ensuring notably that evidence is collected lawfully and is thus protected from legal challenges when later used in court proceedings, and can enable law enforcement authorities and judicial authorities to cooperate more effectively and more rapidly with each other, including at international level. To limit any interference with the fundamental rights of the persons whose data is processed for law enforcement and national security reasons, providing at least some essential guarantees (e.g. need for a legal basis, independent oversight, effective remedies for individuals) could be useful. Also, the effectiveness of law enforcement or national security operation can be preserved by providing, for example, that the exercise of the rights of individuals can be restricted – or postponed – to the extend this is necessary and proportionate to avoid prejudicing ongoing investigations.
In our view, such localisation requirements are not necessary, be it from a data protection standpoint, as a matter of economic policy or from a law enforcement perspective:
As regards the protection of personal data, we firmly believe that modern data protection regimes should be designed to afford individuals a high level of protection while facilitating data flows in a way that maximises economic opportunity and consumer interests. As the EU data protection regime shows, a regime that is open to (and in fact facilitates) international transfers while ensuring a high level of protection is possible. Towards this end, our rules, which do not contain any data localization requirements, offer a variety of flexible tools, adapted to different business models and transfers situations, that range from adequacy to contractual instruments and from specific statutory transfer bases (so-called "derogations") to codes of conduct or certification mechanisms.
As a matter of economic policy, such an approach will create significant costs for companies – in particular, foreign ones – linked to setting up additional processing/storage facilities, duplicating such infrastructure etc. and is thus likely to have negative effects on trade and investment. If implemented, this kind of provision would also likely hinder data transfers and complicate the facilitation of commercial exchanges, including in the context of EU-India bilateral negotiations on a possible free trade agreement. We are also convinced that, contrary to what is sometimes suggested, India's striving tech industry does not need this type of forced-localization measures: India is already a top world leader in the data processing industry and has built one of the best digital eco-systems in the world without having recourse to forced localization measures. On the contrary, such measures might deter foreign investment as foreign clients and companies might prefer to switch the processing of their data to a country that does not impose these types of costly constraints. Very much like Ms. Rama Vedashree in her comments to the Srikrishna Committee's report, we believe that "mandating data localization may potentially become a trade barrier and the key markets for the industry could mandate similar barriers on the trade flows to India which could disrupt the IT-BPM industry". Besides, the existence of such requirements might lead to the multiplication of difficult conflicts of laws when other countries may impose similar but contradictory requirements concerning the same personal data.
Lastly, data localization is by no means the only way to ensure that law enforcement authorities are enabled to obtain (legitimate) access to electronic evidence. In this respect, the EU is facing similar challenges as India. However, rather than forcing the localization of personal data in the EU, it is currently preparing legislation that will allow the police and prosecutors to access electronic information, irrespective of whether it is stored in the EU or not. A similar approach has been adopted by the United States with the US CLOUD Act. Aside from these national legislative approaches, the ideal solution might actually be a multilateral arrangement allowing for mutual access to data. While it needs further strengthening, the Council of Europe's Budapest (Cybercrime) Convention, open to all countries around the globe, is such an instrument and it might be useful for India to consider joining the Convention (which is currently under revision).
For instance, the draft law contains no right for individuals significantly affected by decisions based solely on automated processing (e.g. rejection of an online credit, e-recruiting etc. application) to at least request and obtain an explanation of the logic of such decisions, to be able to challenge them and to obtain a human intervention to possibly revise them. Automated individual decision-making and profiling have great potential to speed up decisions, make them more informed and objective. At the same time, they can also pose risks for individuals, for instance if the underlying algorithms are “biased”.
Regarding the right of access, the draft law provides for a right to obtain "a brief summary of the personal data being processed". However, there is a question as to whether such a "brief summary" could ensure that the individual receives comprehensive information about the collection and use of his/her personal data by the data fiduciary (for example, how could a "brief summary" of someone's health data be of any use to an individual ?), and thus how helpful such summary will be. Instead, the law could be more specific and empower the data principal with a right to have access to all his/her data, including a copy of all data relating to him/her that are collected or processed.
Also, in order to ensure control of the individual over his/her personal data, it would be important to provide data principals with the "right to object" to processing, at least in situations where such processing takes place for “reasonable purposes” (Section 17). The exercise of this right would not be absolute and could be submitted to conditions to be specified in the law. For example, the exercise of the right could be excluded if the data fiduciary demonstrates compelling legitimate grounds that outweigh the interests of the data principal.
We also note that Section 27 titled the "Right to Be Forgotten" provides individuals with "the right to restrict or prevent continuing disclosure" in limited cases. It might be useful to go beyond this and to give individuals, under certain conditions, the right to have their personal data erased (in particular when the purpose of processing has been achieved or the processing is unlawful).
Finally, also in light of the fact that we have in the past years gone through a similar process of consultation with stakeholders and reform of our data protection rules, we would like to express our readiness to share our experience and further discuss these issues with you, remotely or by coming to India in case this would be of interest.
We hope that these observations will be useful to you and wish you every success in this very important endeavour.
Head of Unit – International Data Flows and Protection
Directorate-General for Justice & Consumers
Rue Montoyer 59 (office MO59 03/003) ,
B-1049 Brussels, Belgium
Tel. (32-2) 29 6.31.63