The 2019 Data Protection Bill – An Intractable Balance

The Data Protection Bill, which was drafted in July 2018 by a 10-member team led by retd. Justice BN Srikrishna, will
probably be tabled in the Winter session of Parliament. It proposes the creation of a Data Protection Authority in
India to prevent personal information misuse and imposes frameworks for data localization [1]. Union
Communications, Electronics and Information Technology Minister Ravi Shankar Prasad on Monday said the Data
Protection Bill is ready and would be placed in Parliament soon. He said that the bill would offer a pragmatic view of
all aspects of the Internet, like accessibility, availability, privacy, neutrality, commerce and local data warehousing.
The bill also sets guidelines in place on “critical” or “sensitive data”, and mandates that such data is stored strictly
within Indian data warehouses.

If data is the new oil, then this might sound like just the framework that we need to regulate the supply lines.
However, the statements made thus far about this bill may have a certain degree of specificity towards its
expectations from data handling that may not resonate perfectly with all the stakeholders involved. For instance,
Minister Ravi Shankar Prasad also said that while the government is for free and fair accessibility of Internet through
various gates and against any restriction, it cannot allow terrorists to make use of the privacy plea while regretting
that some apps, like WhatsApp, are not doing enough to check the misuse of the medium by radicalists. He said the
government should be able to know the origin of fake news and other misuse and it would bring in regulations to
check abuse of the medium by these apps.
A similar concern was tabled by BJP leader Ashwini Kumar Upadhyay, who sought to link social media accounts of
Indian citizens with their Aadhar, so as to add accountability to the content posted by users and curb fake news.
However, this petition was not entertained by the Supreme Court, asking Upadhyay to move to the Madras High
Court with this issue [2]. As per a Supreme court ruling, Aadhar is meant for availing government benefits, not for
private usage.[3] While social media giants like Facebook and Twitter are being cajoled to take sterner measures
towards regulating content that may instigate social unrest, this request is at odds with the very privacy that this bill
seeks to enforce, which was declared as a fundamental right in 2017. Social media firms and legal bodies have their
work cut out for them, carving out a robust middle ground between privacy and traceability. These cases are in
strong resonance with the 2016 Apple encryption case, wherein Apple refused to provide a backdoor into their
devices to the FBI. The outcome of the case suggests that any changes in the content regulation strategy on social
media, be it instigated by the government, the courts, or the social media giants themselves, has to take the core
values of the firm in question.

Similar bills have already been introduced in other countries over 2019, including Sri Lanka and Ecuador, both of
whom take notes from the European General Data Protection Regulation GDPR draft. However, the Sri Lankan bill
focuses more on data privacy protection and effective cross-border co-operation.[4] On the other hand, the Ecuador
equivalent was designed in a rushed manner, in response to a massive data breach which left the personally
identifiable information (PII) of over 20 million people on an unprotected server. Thus, the focus of the Ecuador data
protection bill was towards data processing practices, data subject rights and data provisions to external entities.[5]
The GDPR of the European Union is serves as a comprehensive data protection guideline. While much still remains
speculative about the Indian Data Protection bill, there are certain unique features in the GDPR that can add value to
it, as given below [6]:
 Clear, straight-forward privacy policies
 Silence is no consent. Clear user consent needed by a business to use their data.
 Transfer of personal data, if any, needs to be clearly notified to the user
 The occurrence of a harmful data breach should be notified to the user
 User’s right to access their data that the business has

Based on the considerations made by other nations, it seems that the Indian data protection bill aims to resolve a
rather unique conundrum, that is not only limited to protection of data, but also purposefully expands to responsible
utilization of online data. Given what was mentioned by Mr. Ravi Shankar Prasad about data misuse, no data
protection bill in any other geography thus far has tabled data monitoring in its charter. Either we’ve seen this
problem at an early stage, or at a massive scale, given the population of the country. Therefore, India needs to
achieve a future-proof balance between data protection and supervision with this bill. While this may seem like an
intractable challenge, if solved, it would set the Indian Data Protection Bill as a iron-clad benchmark for future
legislations focused on protecting the citizen in the digital ecosystem.
Written by:
Saransh Kejriwal
(b19043@astra.xlri.ac.in)

References

[1] NDTV Gadgets 360. (2019). New Data Protection Bill to Be Placed in Parliament Soon: Prasad. [online] Available
at: https://gadgets.ndtv.com/internet/news/new-data-protection-bill-to-be-placed-in-parliament-soon-prasad-
2116982 [Accessed 19 Oct. 2019].

[2] Times Of India. (2019). SC junks plea seeking to link Aadhaar with social media accounts | India News - Times of
India. [online] The Times of India. Available at: https://timesofindia.indiatimes.com/india/sc-junks-plea-seeking-to-
link-aadhaar-with-social-media-accounts/articleshow/71589042.cms [Accessed 19 Oct. 2019].

[3] DASGUPTA, D. (2019). India debates linking social media accounts to government IDs. [online] The Straits Times.
Available at: https://www.straitstimes.com/asia/south-asia/india-debates-linking-social-media-accounts-to-
government-ids [Accessed 19 Oct. 2019].

[4] Babele, A. (2019). Summary: Sri Lanka Personal Data Protection Bill - MediaNama. [online] MediaNama. Available
at: https://www.medianama.com/2019/07/223-summary-sri-lanka-personal-data-protection-bill/ [Accessed 19 Oct.
2019].

[5]Financial Times(2019). Ecuador fast-tracks data privacy law after massive breach | Financial Times. [online]
Available at: https://www.ft.com/content/35f9aea0-dbb0-11e9-8f9b-77216ebe1f17 [Accessed 19 Oct. 2019].

[6] European Commission - European Commission. (2019). EU data protection rules. [online] Available at:
https://ec.europa.eu/commission/priorities/justice-and-fundamental-rights/data-protection/2018-reform-eu-data-
protection-rules/eu-data-protection-rules_en [Accessed 19 Oct. 2019].