'India’s data privacy Bill: Progressive principles, uncertain enforceability' by Graham Greenleaf in
(2020) 163
Privacy Laws and Business International Report 6
comments
India’s Modi government has at long last submitted the Personal Data Protection Bill, 2019 to India’s lower house. The Bill is based on the draft Bill (and Report) prepared by the committee chaired by former Supreme Court Justice Srikrishna, but almost every clause of the ‘Srikrishna Bill’ is varied by this Bill. It has been referred to a Joint Parliamentary Committee of both Houses. This article aims to provide a critical overview of the main elements of the government Bill, with an emphasis on significant differences from the Srikrishna Bill, and o n comparisons with the EU’s GDPR.
The article concludes that the Bill includes, at least superficially, a large proportion of the rights and obligations found in leading international data privacy standards, particularly the GDPR. In this respect it is similar to the Srikrishna Bill, although it weakens some principles. The penalties for breaches of the law, and the compensation provisions are also superficially strong, well up to international standards. In these respects, it is a progressive Bill.
However, when it comes to questions of whether it is likely to be enforced strongly and effectively, this Bill falls well short of international standards. The DPAI is dominated by government appointments, and lacks guarantees of independence. Data principals (and NGOs representing them) lack sufficient independent abilities to take enforcement action. The scope for the government to exempt public sector bodies from the law is far too broad.
This Bill goes even further than the Srikrishna Bill in implementing a very different regulatory philosophy from the EU GDPR’s radical dispersal of decision-making responsibility (and liability for wrong decisions) to data controllers. The Indian model is more prescriptive (perhaps closer to the 1995 EU Directive in this respect), but it is implemented in section after section by leaving the essential regulatory details to be completed by the Data Protection Authority of India (DPAI), or the Indian government, through delegated legislation. Until these regulations are completed, the result will a high degree of uncertainty as to how much protection the Bill will offer data principals, and a long period of uncertainty impeding planning by Indian businesses.