Modi Government Seeks ‘Clarifications’ on Data Protection Bill

The Ministry of Electronics and IT has confirmed to The Quint that it has reached out to select stakeholders to seek “clarification” on the comments received on the draft Data Protection Bill.

An expert Committee headed by Justice (retd) BN Srikrishna had submitted its report, along with a draft personal Data Protection Bill, to Electronics and IT Minister Ravi Shankar Prasad on 27 July 2018.

Two sets of consultations were held with respect to the draft Data Protection Bill. The first was in November 2017, when the Srikrishna Committee had released its white paper and the second was conducted by the Electronics and IT Ministry (MeitY) itself when it had solicited public comments from 14 August-10 October 2018.

S Gopalakrishnan has made clear that this isn’t a fresh round of consultation.

India is among the handful of democracies across the globe without a data protection and privacy law. A year has passed since the draft Bill was submitted and it is yet to be tabled in the Parliament.

What Clarification are They Seeking?

Gopalakrishnan didn’t elucidate the details of the clarifications sought and said, “At this stage, we are only presenting the feedback, we had some doubts on the feedback, we are collecting it, that’s all.”

However, in a report, Medianama states that data localisation and e-commerce feature among the questions on which clarifications are sought. Some questions claimed to be put up to stakeholders are:

• The draft Bill proposes all personal data needs to be stored in India, whereas
  a significant amount of the feedback received suggests that restriction on
  cross-border flow of data may be limited to sensitive or critical personal data. Do you feel it is necessary to mandate storage of all types of personal data in India?
• The role, scope, power and authority of the regulator proposed – Data Protection
  Authority of India (DPA).
• What can be the contours of a policy that should govern non-personal data, such as community data, anonymised data, e-commerce data etc?

Bill’s Data Localisation Requirement Under Scanner?

A specific section of the draft Bill mandating data localisation has been a bone of contention.

According to the draft Bill, personal data will need to be stored on servers located within India, and transfers outside the country will need to be subjected to safeguards. Critical personal data, however, will only be processed in India.

When asked if data localisation is being re-examined by the Ministry, Gopalakrishnan replied, “No, not at this stage. It may re-looked at by Parliament or cabinet.”

“We have no clue about this,” the Joint Secretary replied when asked if this report has been considered by the Ministry. The joint secretary’s response comes as a surprise, given that the Secretary of IT Ministry, Ajay Prakash Sawney, was part of the four-member Committee which recommended a watering-down of the data protection requirements.

A Bill Shrouded in Secrecy

The draft Data Protection Bill has received sharp criticism, not only for provisions like data localisation but also for the Ministry’s lack of transparency on it.

The workings of the ten-member Srikrishna Committee have been shrouded in secrecy since its formation on 31 July 2017. Dozens of RTIs seeking information on its formation, meetings and public consultations have been consistently denied.

On 25 July 2019, in a reply to Rajya Sabha MP Rajeev Gowda, IT Minister Ravi Shankar Prasad said that, “The submissions made to the Committee by any entity are confidential and meant for examination by the Committee.”