BENGALURU: The Srikrishna committee draft bill received mixed responses from privacy experts who said that while the bill provides a strong foundation for privacy protection in India, it has several shortcomings that have to be rectified through consultation.

"A lot of the inspiration for the Srikrishna committee comes from the General Data Protection Regulation (GDPR)," said Sunil Abraham, executive director, Center for Internet and Society.

"I think they have done a good job. They have overall followed the model the EU has used in the GDPR. But there are various places where there are serious dilutions, that is what I'm concerned about. There are several grounds under which the data controller can process data in a non-consensual fashion. Without seeking the consent of the data subject."

For instance, Abraham said: "Anything the Unique Identification Authority of India (UIDAI) wants to do as part of the welfare agenda is legal and unregulated. This will be done without the consent of the poor. In that sense this report and bill is anti-poor."

Vrinda Bhandari, a Supreme Court advocate, lauded the decision of the committee to make the draft bill public since it enables people to give feedback. "I think while it (the draft bill) really does take some positive steps, the biggest concern for me is surveillance reform. There was a huge opportunity for the committee to engage in surveillance reform."

She said that the committee had an opportunity to recommend judicial oversight for India's surveillance system, but it did not do so. "We do not have any transparency in reporting requirements for the surveillance that is conducted by intelligence agencies."

In addition, she said: "Amendments to Aadhaar are only in the recommendations in the report. The bill is silent on how the metadata of authentication transactions will be dealt with."

Amba Kak, policy advisor at Mozilla, said this bill is a step in the right direction but is not without loopholes. "In particular, the requirement to store a copy of all personal data within India, creating broad permissions for government use of data and the independence of the regulator's adjudicatory authority."

Abraham pointed out that the draft bill allows very broad grounds for non-consensual processing of personal data from employees by the employers. "An employer can put spyware on your work computer and say that I have installed spyware on your computer, and this should be understood as any other activity relating to the assessment of the performance of the data subject (who is an employee of the data fiduciary)," said Abraham.

"While the bill seems to protect the privacy rights of the people, it does not seem to do the same job for the poor and the workers in the country," he added.