India moved closer to its first data privacy law on Friday after a committee, headed by former Supreme Court judge BN Srikrishna, proposed a draft Personal Data Protection Bill. The draft bill provides for the formation of a Data Protection Authority of India to protect citizens’ data and privacy — a growing concern in an increasingly digitising economy.
The proposed bill makes individual consent the centrepiece of data sharing, awards rights to users, imposes obligations on “data fiduciaries”— all those entities, including the State, which determine purpose and means of data processing. It also lays out provisions on data storage, making it mandatory for a copy of personal data to be stored in India, and called for amendments to other laws, including the Right to Information. Though the bill does not mention it directly, the report also suggests changes to the Aadhaar Act. In essence, the Data Protection Authority will function as India’s privacy regulator.
BN Srikrishna said efforts should be made to protect privacy, pointing to a nine-judge Supreme Court bench’s unanimous verdict recognising it as an intrinsic part of the right to life and personal liberty.
Ravi Shankar Prasad, the law minister, said the document would be a major milestone in a “larger narrative”, pointing to global recognition of India’s digital power, “innovative measures” for net neutrality and the Supreme Court’s declaration that privacy is a fundamental right. “I’ll have to go through it,” Prasad said of the report. “There’s also a draft Data Protection Bill. After this, government and Parliament will have to work on a law. We would like India’s data protection law to become a model for the world which will be a blend of safety, security, privacy and innovation.”