The GDPR (General Data Protection Regulation) completely focuses on data security and protection and on user control of data. The Chinese Cybersecurity Law veers towards lending the state an upper hand in data processing. India\u2019s draft Personal Data Protection Bill 2018 walks the middle path, seemingly wanting to empower both users as well the state (giving benefit of doubts) as far as personal data protection is concerned.\r\n\r\nHowever, companies processing data of Indian citizens have been left in the deep end, with the draft mandating that at least one copy of all personal user data be stored in India.\r\nJustice B N Srikrishna, under whose leadership the draft has been formulated, likened the report and the draft Bill to \u201cbuying new shoes. It will be tight in the beginning but will be comfortable later\u201d \u2014 meaning that data fiduciaries (data operating\/processing entities) would take some time to adapt to the new rules.\r\nOn July 27, the Justice Srikrishna Committee, after working for almost a year on the Data Protection Bill, while releasing the draft along with a separate committee report on data protection, explained the intent of the bill: \u201cWe have created the draft on the Personal Data Bill keeping the vertices of the triangle in mind. While the citizens\u2019 interests have been kept at the top vertex. A fine balance has been struck between the other two vertices \u2014 keeping the trade and industries\u2019 interests as well as the state\u2019s, intact.\u201d\r\n\r\nThe draft Bill was submitted to the Ministry of Electronics and Information Technology (MeitY), which will review it and consider the next steps to initiate the parliamentary procedure. The parliamentary procedure will take its own course, as the Bill will first be introduced in the Lok Sabha and then the Rajya Sabha. The draft Bill, with recommendations from the Rajya Sabha, will then be reintroduced in the Lok Sabha for approval. Once approved, the Bill will be sent for approval to the President of India, who is free to send it back with or without his recommendations.\r\n\r\nThe Personal Data Protection Bill draft puts an emphasis on \u201cinformed user consent\u201d for processing of personal data and enshrines the Right to be Forgotten (though not quite the GDPR way). It also prescribes steep penalties and even a list of non-bailable and cognizable criminal offences for violation of the law, recommends the setting up of a data protection authority to deal with all data-related issues in the country, and wants all large data fiduciaries to appoint data protection officers.\r\n\r\nEven amid the increasing importance being accorded to data, its safety and security, data frauds are proliferating in India as much as across the world. One of the main aims of the Personal Data Protection Bill was to maintain privacy of data and minimise frauds. The current draft is a step in the right direction as far as this is concerned.\r\n\r\nCommenting on the Bill from a fraud investigation perspective, Jayant Saran, Partner, Forensic-Financial Advisory, Deloitte India, said, \u201cThe Bill has placed emphasis on defining various stakeholders and participants such as fiduciary (entity requesting processing of personal data), the processor (analyser of said personal data), and principal (individual to whom the personal data belongs). This is a welcome move considering several other developed economies already have stringent data protection laws,\u201d\r\n\r\nThe Bill also proposes significant financial penalties for noncompliance, which will compel organisations to relook at how they treat personal data and take appropriate measures to remain compliant, he adds.\r\n\r\n\u201cSpecifically, in the context of corporate fraud investigation and related scrutiny of transactions, the Bill covers the rights of \u2018data principals\u2019 even during allegations of fraud and subsequent investigations,\u201d said Saran.\r\n\r\nAlthough more than 80% of the critical content of the draft almost matches the GDPR in principle including the privacy by design, the maximum penalty for data fiduciaries (which is exactly the same as in GDPR) there are some huge differences in terms of the approach of the EU regulation and the Indian Personal Data Protection Bill. \r\n\r\nThe intent of this article is to understand and analyse these differences of approach, understanding, and impact of the Bill from its EU and Chinese peers.\r\n\r\n\r\nJustice Srikrishna Committee: Starting From Scratch\r\nAlthough the 67-page draft on Personal Data Protection Bill and the 213-page report of the committee of experts have been submitted separately, the Bill can\u2019t be reviewed in isolation, as the report suggests some key amendments in existing Acts such as Aadhaar and RTI, and the amendment bills will be introduced along with the draft of the main Bill.\r\nAnd while a comparison of the GDPR, India\u2019s Personal Data Protection Bill, and China\u2019s cybersecurity law (Data Protection 2018) is inevitable, processing extreme and opposing inputs from stakeholders and drafting a contemporary data protection bill was no less than a rocket science.\r\nHere, it\u2019s worth noting that the GDPR evolved from the-then Directive 95\/46\/EC. However, in India, the 10-member Justice Srikrishna committee had to start from scratch, as there\u2019s no existing government circular or Act (apart from the RBI\u2019s circular which is applicable to limited organisations) that could have helped the Committee know the current standing of the nation.\r\n\r\nThe Committee, chaired by Supreme Court (SC) Justice B N Srikrishna, comprised the following members \u2014 department of telecom secretary Aruna Sundararajan, Unique Identification Authority of India (UIDAI) head Ajay Bhushan Pandey, MeitY additional secretary Ajay Kumar, IIT-Raipur director Rajat Moona, national cybersecurity coordinator Gulshan Rai, IIM-Indore director Rishikesha Krishnan, Vidhi Centre for Legal Policy\u2019s Arghya Sengupta, and Data Security Council of India\u2019s Rama Vedashree.\r\nData Protection: Confused Wording Dilutes Scope And Intent Of Bill\r\nIn its very first sentence, the draft Bill, like the GDPR, recognises that \u201cthe right to privacy is a fundamental right\u201d. However, the draft Bill in the same sentence uses the word \u201cnecessary\u201d instead of \u201cessential\u201d while referring to protection of personal data.\r\n\r\n\r\n\r\nHowever, the GDPR is crystal clear in its approach, right from the beginning. It says: \u201cThe protection of natural persons in relation to the processing of personal data is a fundamental right. Article 8(1) of the Charter of Fundamental Rights of the European Union (the \u2018Charter\u2019) and Article 16(1) of the Treaty on the Functioning of the European Union (TFEU) provide that everyone has the right to the protection of personal data concerning him or her. The principles of, and rules on the protection of natural persons with regard to the processing of their personal data should, whatever their nationality or residence, respect their fundamental rights and freedoms, in particular, their right to the protection of personal data.\u201d\r\n\r\nThe intention of the Indian draft Bill gets even more confusing in the very next sentence: \u201cWHEREAS it is necessary to create a collective culture that fosters a free and fair digital economy, respecting the informational privacy of individuals, and ensuring empowerment, progress and innovation.\u201d\r\n\r\nPartly derived directly from the GDPR, which in its article 7 advocated \u201cA strong and more coherent data protection framework in the Union, backed by strong enforcement, given the importance of creating the trust that will allow the digital economy to develop across the internal market.\u201d However, in the same paragraph, it also reiterated, that \u201cusers should have the control of their personal data,\u201d something that the draft Bill missed.\r\nIf the intent of the draft Personal Data Protection Bill is to protect personal data of Indians, why does it dilute its focus to fostering a \u201cfree and fair digital economy\u201d (while \u201crespecting\u201d one\u2019s personal data and omitting certain keywords such as justice, security and social progress as mentioned in GDPR) \u2014 a topic that could have been dealt with anywhere but a Personal Data Protection Bill?\r\nThis could have been termed a small aberration. However, the Indian minister of law and justice, Ravi Shankar Prasad, while releasing the draft along with the committee of experts, said, \u201cIndia generates lots of data and has immense potential for data analysis.\u201d\r\n\r\nThis statement by the minister raises another doubt over the Centre\u2019s intent regarding the draft Bill. Why is the government interested in the analysis of personal data of its citizens?\r\n\r\nHowever, the third paragraph of the draft brings the intent of the Bill back on track.\r\n\r\n\u201cAND WHEREAS it is expedient to make provision: to protect the autonomy of individuals in relation with their personal data, to specify where the flow and usage of personal data is appropriate, to create a relationship of trust between persons and entities processing their personal data, to specify the rights of individuals whose personal data are processed, to create a framework for implementing organisational and technical measures in processing personal data, to lay down norms for cross-border transfer of personal data, to ensure the accountability of entities processing personal data, to provide remedies for unauthorised and harmful processing, and to establish a Data Protection Authority for overseeing processing activities.\u201d\r\n\r\nThe way the draft has been worded creates a confusion over the very scope and intent of the Bill. By contrast, observe the clarity in the way the GDPR is worded: \r\n\r\n\u201cThis Regulation is intended to contribute to the accomplishment of an area of freedom, security and justice and of an economic union, to economic and social progress, to the strengthening and the convergence of the economies within the internal market, and to the well-being of natural persons.\u201d\r\n\r\nFurther, \u201cThe processing of personal data should be designed to serve mankind. The right to the protection of personal data is not an absolute right; it must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality. This Regulation respects all fundamental rights and observes the freedoms and principles recognised in the Charter as enshrined in the Treaties, in particular the respect for private and family life, home and communications, the protection of personal data, freedom of thought, conscience and religion, freedom of expression and information, freedom to conduct a business, the right to an effective remedy and to a fair trial, and cultural, religious and linguistic diversity.\u201d\r\n\r\nThe draft, in Justice Srikrishna\u2019s words, aims at \u201cmaintaining a fine balance between users\u2019 right to privacy without hindering the trade and industry in India.\u201d However, considering that the primary purpose of the Bill was to address concerns regarding users\u2019 personal data, it could have been drafted in a much clearer manner.\r\nIndian Data Protection Bill: Data Is A Matter Of Trust, Not Property\r\nUnlike the GDPR, where data has been clearly defined as \u201cproperty\u201d and clarified that one\u2019s personal data belongs to him or her, the draft Indian Personal Data Protection Bill treats data as a matter of \u201ctrust\u201d.\r\n\r\nJustice Srikrishna said, \u201cWe haven\u2019t treated data as property here. It\u2019s a matter of my trust in somebody and he\u2019s answerable to it. That\u2019s how we have treated it. That\u2019s why we haven\u2019t used data subjects which some others like GDPR have treated, but data principals, the ones who have agreed to share their data with data fiduciaries.\u201d\r\n\r\nSo, how should one treat data \u2014 as a \u201cmatter of trust\u201d or as \u201cproperty\u201d? It\u2019s a matter of another discourse. By using the term \u201cdata subjects\u201d, the GDPR has treated data more like a currency of trust, bringing a more intelligent, automated approach to data governance. However, in the case of draft Bill, this approach is lacking. For instance, to exercise the \u2018Right to be forgotten\u2019, one will have to go through a lengthy process of filling in a long form and justifying why he or she doesn\u2019t want to continue consent over the use of their date data. This defeats the very purpose of the right.\r\n\r\nHere's the \u201cintelligent\u201d and \u201cautomated\u201d approach \u2014 to regulate the GDPR, every member state of the EU has constituted its own data authority, hence as data volumes are\u00a0lower for member states as compared to the entire EU and there are multiple regulatory bodies, regulation won\u2019t be an issue.\r\n\r\nThe GDPR focuses on \u2018data governance\u2019. In Estonia, a data subject can log into his\/her resident ID at any time and access a log file containing the entire list of personal information that has been fetched after the subject provided consent for data use, and when and by whom it has been accessed.\r\n\r\nHowever, India generates much more data with just one proposed regulatory body to overview the entire regulation. In the current draft Indian Personal Data Protection Bill 2018, the focus is apparently on data monitoring and control (in certain aspects). Further, neither the draft Bill nor the report has delineated the technology aspect of the framework \u2014 how the Right to be forgotten, Right to access, and other rights being extended to data principals will be exercised.\r\n\r\nUnlike Estonia, which has deployed blockchain for such purposes, no technology has been underlined by the Committee, and to entertain users\u2019 rights under the bill is going to be a\u00a0tedious, manual, and costly affair for many data fiduciaries.\r\nSimilarly, since data is a matter of \u201ctrust\u201d for India, the draft hasn\u2019t used the phrase \u2018Right to erase\u2019 (for Right To Be Forgotten) but the \u2018Right to restrict or prevent\u2019\r\nWide Applicability Of Bill But Ambiguity Over Data Storage\r\nIn line with the GDPR, the scope of applicability of India\u2019s Personal Data Protection Bill 2018 is wide. Apart from India-based data processing companies, it is equally applicable to data fiduciaries that are not present in Indian territory but are somehow connected with Indian data principals.\r\n\r\nHowever, there is currently some confusion over the provisions for data storage in the Bill. The Srikrishna Committee appeared to be accommodative of extreme views when it comes to data storage and hence is a little raw in its approach, a nightmare for many big data, artificial intelligence (AI), machine learning (ML), and IT companies.\r\n\r\nBesides bound to entertain the users\u2019 rights such as right to access, right to be forgotten and right to correct, as per the draft bill, \u201cEvery data fiduciary shall ensure the storage, on a server or data centre located in India, of at least one serving a copy of personal data to which this Act applies.\u201d\r\n\r\n\r\n\r\nIn the GDPR, storage of data outside the EU has been perceived as data transfer. For instance, if one uses a server in India but accesses the data stored on it from France then, as per the GDPR, this will be treated as a transfer of data and must comply with the EU regulation.\r\n\r\nAs far as data localisation is concerned, China\u2019s Cybersecurity Law, too, has conditions similar to the Indian draft Bill. The Article 35 of Chapter III of the Law states, \u201cThe operators of key information infrastructures shall store within the territory of the People\u2019s Republic of China citizens\u2019 personal information and critical business data collected and generated during their operations within the territory of the People\u2019s Republic of China. Where such information and data shall be exported for business purpose, security assessment shall be gone through pursuant to the measures formulated by the state network and IT authorities together with competent departments of the State Council, unless otherwise provided in laws and administrative regulations.\u201d\r\nNow comes the question: How does the draft address the information being served by a website established outside India but accessible to Indians?\r\nTechnology policy experts Amba Kak, Jochai Ben-Avie, and Naomi Shiffman at Mozilla, opined, \u201cData localisation is bad for business, users, and security. Notwithstanding the protections on processing in the interest of the security of the state, it\u2019s hard to see that this provision is anything but a proxy for enabling surveillance.\u201d\r\n\r\nJustice Srikrishna, on his part, explained why the decision of data mirroring was taken, \u201cThere were extreme views regarding data localisation. Some suggested all the personal data must be stored locally, some suggested it must be freely movable. We have taken a three-fold attitude. There are circumstances when data must be stored here and here only. Then, data could be stored outside too, with a copy stored in Indian territory.\u201d \r\n\r\nThis is not the only confusion data fiduciaries are facing as far as data localisation is concerned. While stating that \u201ccritical personal data shall only be processed in a server located in India\u201d the Bill further widens the ambiguity by saying that the central government will decide and classify what should come under \u201ccritical personal data.\u201d\r\n\r\nThis is important as the draft has handed all power over to the Centre, a data fiduciary itself, and one of the beneficiaries and stakeholders in the data processing game.\r\nFurther, the draft remains agnostic about sector-centric data, and fails to provide clarity on it. For instance, once enacted the Bill will overpower the Trai\u2019s recommendations as well as the RBI circular. However, the draft doesn\u2019t address the concerns of the RBI about critical banking data and Trai\u2019s concerns about telecom data management.\r\nHow Does The Draft Personal Data Protection Bill Deal With Data Breaches?\r\nThe draft Personal Data Protection Bill has outlined different penalties, fines for data breaches, non-compliance, and other data-related offences. For instance, if a data fiduciary contravenes certain provisions such as the obligation to take prompt and appropriate action in response to a data security breach under section 32 of this Act, it will be liable to a penalty which may extend up to INR 5 Cr or 2% of its total worldwide turnover of the preceding financial year, whichever is higher.\r\n\r\nThe draft Bill has prescribed a maximum penalty of $2.19 Mn or 4% of the worldwide turnover, whichever is higher, to be imposed on a data fiduciary or individual misusing any personal data, similar to the penalties defined in the GDPR.\r\n\r\nThe draft has also defined separate fines and penalties for individuals, group of individuals and large data fiduciaries found guilty of\u00a0misutilisation of personal data, and it leaves gaps for large data fiduciaries to define the data breach as a mistake made at a personal level and not at the company level.\r\n\r\nWhen it comes to notifications of data breaches, the Bill again leaves scope for ambiguity by saying that data breach notifications are to be made by the data fiduciary to the DPAI \u201cas soon as possible\u201d in case they pose potential \u201charm\u201d to data principals, without saying how soon.\r\n\r\n\u201cThe data fiduciary shall notify the Authority of any data breach related to personal data as soon as possible and not later than the time period specified by the Authority, following the breach after accounting for any time that may be required to adopt any urgent measures to remedy the breach or mitigate any immediate harm,\u201d says the Bill.\r\n\r\nBy contrast, the GDPR clearly states, \u201cAs soon as the controller becomes aware that a personal data breach has occurred, the controller should notify the personal data breach to the supervisory authority without undue delay and, where feasible, not later than 72 hours after having become aware of it, unless the controller is able to demonstrate, in accordance with the accountability principle, that the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.\u201d\r\nConfusion, Chaos, And Criticism Apart, The Draft Bill Is A Good Place To Start\r\nThe Srikrishna Committee has already faced its fair share of criticism on many issues, right from delay in tabling the draft to addressing personal data concerns, including its classification, localisation, and definition. However, processing thousands of inputs from diverse stakeholders, many of which are extreme and contradictory couldn\u2019t have been an easy job, particularly when one had to start from scratch.\r\n\r\nAt the same time, considering that many draft bills, despite having brilliantly addressed the issues at hand, have never seen the light of day thanks to parliamentary procedure, committees need to take into an account of the shortcomings of our parliamentarians while drafting Bill.\r\n\r\n\r\n\r\nAnd the Srikrishna Committee has kept this in mind with Justice Srikrishna being open to modification of the draft as he said: \u201cThis is the first step, as things progress as technology keeps changing in this world, it might become necessary to fine tune the law to overcome the technological challenges.\u201d \r\n\r\nSomeone once gave this sane piece of advice: \u201cChoose your battles wisely.\u201d The Justice Srikrishna Committee seems to have taken this advice seriously while shouldering the huge and contentious task of drafting the Indian Personal Data Protection Bill 2018.\r\n\r\nIf may be far from perfect, it may be ambiguous, it may seemingly ignore the concerns of some stakeholders while trying to strike the \u201cfine balance between users\u2019 right to privacy without hindering the trade and industry in India\u201d, and companies may feel left out in the cold for a bit. But it strives very hard to achieve that fine balance and empower both data principals (individuals) when it comes to data privacy and rights.\r\n\r\nAnd the best part is that it is open to fine-tuning while striving to achieve that fine balance. A big first step, after all.