XXXXXXX

A poor copy?

The General Data Protection Regulation (GDPR) agreed upon by the European Parliament and Council in April 2016, replaced the existing legislation, to become the primary law regulating how companies protect EU citizens' personal data. GDPR applies to each member state of the EU, aiming to create more consistent protection of consumer and personal data across EU nations. Some key privacy and data protection requirements under the GDPR include:

• Requiring the consent of subjects for data processing;
• Anonymizing collected data to protect privacy;
• Providing data breach notifications;
• Safely handling the transfer of data across borders;
• Requiring certain companies to appoint a data protection officer to oversee GDPR compliance.

Basically GDPR mandates a baseline standard for companies that handle EU citizens’ data, to better safeguard the processing and movement of citizens’ personal data.

Till 2017, India did not have any express legislation governing data protection or privacy. Some of the relevant laws in India dealing with data protection were and are the Information Technology Act, 2000 and the Indian Contract Act, 1872. The Government had notified the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011. These Rules deal with protection of "Sensitive personal data or information of a person", which includes personal information such as:

• Passwords;
• Financial information such as bank account or credit card or debit card or other payment instrument details;
• Physical, physiological and mental health condition;
• Sexual orientation;
• Medical records and history;
• Biometric information.

In July 2018, the nine-member expert committee headed by Retd. Justice B.N. Srikrishna submitted its Report along with a draft bill titled “The Personal Data Protection Bill, 2018” to the Ministry of Information and Technology. It is obvious that an attempt to create a complex new legislation on data protection has been made in a time period much shorter than what it took Europe to craft GDPR. Hence it may be expected that shortcomings may exist and operational challenges may arise. The need for public consultations on the Bill and appropriate modifications for such law need to be lined up.

In July 2018, the nine-member expert committee headed by Retd. Justice B.N. Srikrishna submitted its Report along with a draft bill titled “The Personal Data Protection Bill, 2018” to the Ministry of Information and Technology. It is obvious that an attempt to create a complex new legislation on data protection has been made in a time period much shorter than what it took Europe to craft GDPR. Hence it may be expected that shortcomings may exist and operational challenges may arise. The need for public consultations on the Bill and appropriate modifications for such law need to be lined up.

Devil is in the detail and we should improve on the work of the Srikrishna Committee to table a much stronger, citizen-focused bill for consideration of the Parliament.