The European Union (EU) has expressed reservations about the draft Personal Data Protection bill 2018 that is currently being proposed by the Indian government.
The bill, which calls for data localisation, is being described as India’s very own General Data Protection Regulation (GDPR) — an EU framework of data protection norms that went live in May.
In an online submission to the Ministry of Electronics and Information Technology (MeitY), Bruno Gencarelli, who serves as the head of the International Data Flows and Protection Unit at the European Commission (EC), listed seven detailed reservations about the draft bill. The submission, dated September 29, came a day before MeitY’s deadline for feedback submissions on the bill.
Gencarelli, who has played an important role in the roll out of the GDPR, expressed concern over the provisions in the draft Bill that leave it to the discretion of the central government or the Data Protection Authority (DPA) to decide on key matters rather than dealing with them in the Bill itself, which could create some uncertainties.
The other provision that drew detailed criticism from the EC is one that mandates every data fiduciary (a person, state, company, or any entity that decides why data should be processed and how it should be processed) ensure storage of at least one copy of a user’s personal data on a server or data centre located in India.
These data localisation requirements appear both unnecessary and potentially harmful as they would create unnecessary costs, difficulties, and uncertainties that could hamper business and investments. — Bruno Gencarelli, EC
He was referring to the costs for companies — in particular, foreign ones – for setting up additional processing/storage facilities in India.
“If implemented, this kind of provision would also likely hinder data transfers… contrary to what is sometimes suggested, India’s striving tech industry does not need this type of forced-localisation measures,” wrote Gencarelli.
Gencarelli also wrote if the draft bill in its current form were to be finalised, it would not only have far-reaching negative consequences for businesses but on politics as well.
Such measures might deter foreign investments in India and would also likely hinder data transfers and complicate the facilitation of commercial exchanges in the context of EU-India bilateral negotiations on a possible free trade agreement, Gencarelli added.
He offered an alternative solution to this provision and acknowledged that the EU too is preparing a legislation to enable law enforcement authorities to obtain (legitimate) access to electronic evidence, irrespective of whether it is stored in the EU or not.
The ideal solution might actually be a multilateral arrangement allowing for mutual access to data — Bruno Gencarelli, EC
Data Protection The Need Of The Hour
Governments across the world are drafting and implementing laws around the flow of data. Countries such as Japan, Korea, and New Zealand have already passed data protection laws based on the principle of data localisation. Meanwhile, in Latin America, Brazil passed its own law in August this year while Chile recently announced the setting up of an independent data protection authority; Argentina is currently reforming its privacy legislation.
After the Facebook-Cambridge Analytica scandal, regulators around the world are looking for ways to be more proactive than reactive to the power of data. With very little precedent in terms of policy and laws, this has led to increased tensions between governments and tech companies.
In July end, a high-level panel headed by Justice B N Srikrishna submitted its recommendations and the draft Personal Data Protection Bill 2018 to IT minister Ravi Shankar Prasad. Since then, the Indian government has faced a backlash from members of the business community and associations such as the Internet and Mobile Association of India, NASSCOM, and ecommerce companies like Amazon and Walmart over the provisions of the draft Bill.