The Draft Bill is glaringly inspired by the European Union’s GDPR. It recognizes four rights of citizens. Firstly, Right to Consent and Access encompassing the right to know ‘the how and where’ of an individual’s data utilization and to prohibit usage of such data without consent, Secondly, Right to Correction incorporating the right to get corrected, any mistakes in one’s published personal data, Thirdly, the Right to data portability encircling the right to procure all details of one’s personal data generated during the usage of service provider’s facility and Fourthly, the Right to erasure of data. It is pertinent to note that the Right to the erasure of data is limited to publication in that, it does not include compelling an entity to delete records. In Europe, this right is rightly stretched to the erasure of publication in its complete sense.
Similar to GDPR, the Draft Personal Data Protection Bill is clear about its extraterritorial applicability and includes within its realm processing taking place outside the Indian Territory if it involves a citizen subject. Among the key provisions is the penalty extending up to 2% of the annual global turnover or INR 5 Crores whichever is higher for its most serious infringements.
The Right to Consent and Access provides that the same can be overridden in public interest, for prevention and detection of unlawful activities, for whistleblowing and to further network and information security etc. Sensitive personal data can only be dealt with after obtaining explicit consent or for certain functions of the state; for compliance of the law or any order of a court/tribunal, and for situations requiring prompt action. Under the GDPR, legitimate interest can be used to process records if such processing is necessary for the performance of a contract with the data subject or to take steps to enter into a contract. In Author’s opinion, this can be misused by unscrupulous service providers unless controlled or subjected to a conditional limitation. Such a provision remains absent in the Indian draft bill showing a more thoughtful approach by the Committee. However processing may be required for opening of accounts, approval of representatives to an account or even for conducting Know Your Customer (KYC) checks.
There are constraints on cross-border transferability of personal data. A copy of personal data is necessary to be retained at a server or data centre in India thereby placing an unnecessary economic burden on corporates especially international tech giants and multinational companies. GDPR has addressed the issue of effecting compliance in an easier manner by requiring a local representative who would be held liable for any transgressions to the law. This provision of the draft Indian bill has received backlash from the industry. Further, it mandates that critical personal data cannot be processed outside India, which has also caused debates and discussions among the citizens as it lays wide powers with the Government to determine what would be ‘critical personal data’, rather without laying down any guidelines on this limits.