The India Draft Bill on Data Protection Draws Inspiration from GDPR, But Has Its Limits

Synopsis
EU's GDPR bestows several rights on the EU residents to protect their personal information and imposes restrictions to how companies keep data on them.

BENGALURU: The Justice Srikrishna committee report on data protection submitted on Friday draws a lot of inspiration from the European Union's data protection norms.

The General Data Protection Regulation (GDPR) that took effect in EU on May 25 bestows several rights on the EU residents to protect their personal information and imposes restrictions to how companies keep data on them.

The Srikrishna Committee's proposed draft data protection law has adopted principles like right to access and correction, right to portability, right to be forgotten, but the extent of an individual's rights is limited compared with the EU law.

"Critical personal data is not defined, and it is left to the central government to determine what constitutes critical personal data," said Nehaa Chaudhari privacy lawyer with technology law firm TRA Law.

The proposed law imposes different data localisation requirements for different kinds of data. It mandates absolute localisation – that is, complete storage and processing – of critical personal data in India.

The law also mandates ‘mirroring' of data, which requires a copy of an entity's personal information to be kept in a server or data centre in India.

EU's GDPR allows data controllers and processors to transfer data outside the EU if they fulfil certain conditions.

"GDPR only requires you to have a local representative, which is a better approach," said Sunil Abraham, executive director at Center for internet and Society. "Then you can arrest the representative if FB (Facebook) doesn't give you data, which is a better way for the government to force corporations to submit data."

While GDPR prescribes a fine of up to EUR 20 million, or 4% of the total worldwide annual turnover in case of a company, for infringement of the law, the Srikrishna committee draft law prescribes both civil penalties and criminal offences.

For the misuse of personal data, the draft law punishes non-compliant parties with a jail term of three years or a fine of up to Rs 2 lakh, or both.

Just like the GDPR, the draft bill prescribes differing ranges of penalties for contravention of different provisions. "For some contraventions, max penalty is Rs 5 crore, or up to 2% of the global turnover of a company in the previous year, whichever is higher," said Chaudhari of TRA Law. "For some other contraventions, including contravening the provisions on cross-border transfers, consent and grounds of processing, penalties extend to Rs 15 crore or 4% of the global turnover in the previous financial year, whichever was higher."