Today, India's Ministry of Electronics and IT issued a new draft "digital data protection bill".
TL;DR: its quite disappointing. This is a #DataProtectionBill one would expect from a country in the mid 2000s, before the GDPR, before the Indian Supreme Court's Puttaswamy ruling.
While claiming to be shorter and using simpler language than the previous draft bill, its actually deletes entire data protection rights that the earlier draft proposed. It uses weaker, pro-corporate language around consent. And even wider carve-outs for govt agencies, LEAs.
Despite repeated, loud concerns around the issues with the independence of the data protection authority proposed in the previous draft, the new draft bill created an even weaker Data Protection Board that would not be independent of the Union Govt- the main party often before it
Imagine an "independent regulator" whose governing body's composition is completely decided by the Govt. Appointments of the chair & members solely by the Govt. The Govt can even directly appoint the DPB's chief exec, managing day-to-day affairs. + change service rules anytime
The draft bill proposes "voluntary agreements" where a party being investigated for breaking the law can essentially plea bargain. Except if they break the agreement, the only thing the DPB can do is fine them. Such agreements are a complete shield, defanging the DPB.
[For context, the US's Federal Trade Commission regularly uses consent decrees to push oversight & long term accountability on firms, incl tech cos. But the FTC can go ahead and seek wide remedies and enforcement actions if such consent decrees are breached. Not just fines.]
As my colleague @NamrataM_ pointed out : the new draft bill actually does away with the provision on compensation to affected individuals entirely! It also creates a narrower definition of "harm" - psychological impacts of unlawful behaviour and other factors no longer included.
And while trying to potentially be seen as pro-corporate - or at least responding to some of the corporate lobbying done on this - the bill actually sets up a huge crisis for India's tech and outsourcing industry. It categorically says non-residents get no data protection rights.
... which, anyone who follows data protection developments globally, knows is a red flag for India in the eyes of the EU Court of Justice, EU and DPAs. The Schrems judgments tore up data transfers between the EU & the US due to inadequate data protection remedies for EU citizens.
• • •
Missing some Tweet in this thread? You can try to
force a refresh
I've unfortunately had the misfortune of dealing with the drafting of the legal framework under Section 69A of the Information Technology Act, and the very, very creative interpretations of that flawed legal measure from the Govt of India since 2010. Its rotten, unconstitutional.
S. 69A was tacked on to the IT Act amendments in 2008-09 to give legal air cover for the completely unconstitutional Ministerial order framework for website blocking & a 2003 notification. The amendment was passed by voice vote in a din in Parliament, after the 26 Dec attacks.
When the Govt drafted the rules for it in 2010-11, the stakeholder feedback it received was that there were insufficient checks, it would be misused, & that the "confidentiality of the blocking orders" clause they added was violative of the RTI act, beyond the IT Act, & perverse
Thread on Govt of India amendments to its allocation of business rules re: Ministry for Information & Broadcasting:
TL;DR: The Govt amended the rules that govern how the business of the Union Govt is conducted to say that MIB is the administrative lead on digital/online media
The operative part is below; they added to the list of business MIB is supposed to manage.
DIGITAL/ONLINE MEDIA
22A. Films and Audio-Visual programmes made available by online content providers.
22B. News and current affairs content on online platforms.
[Fun fact] This was drafted in a hurry. How I can tell that is that the notification for the amendment adding it to the existing rules of business is mis-numbered. They wanted to add it right after film certifications, and misunderstood how to write the roman numerals for it.
The Indian Government published a draft 'Health Data Management Policy' document for its new proposed National Digital Health Mission. They gave an immensely short window for public comments on it, which may have gotten extended today to next week. But, there's more.
If you look at PDF of the document itself, you can see that it was finalised in a rush. Edit track change marks are still there.
If you then dig into the PDF, you can see that the final version was done on Microsoft Word by @sunetrar of @Vidhi_India & then uploaded by the NDHM.
TL;DR: The Union Govt in India is rushing to finalise the docs for its National Digital Health Mission, including a Health Data Management Policy - even while the Data Protection Bill is pending. While giving little time for public comment, it appears to have engaged @Vidhi_India
One set of perhaps less foreseen stakeholders should also be paying attention to today's judgment by the CJEU tearing up the EU-US Privacy Shield agreement on data transfers:
Asia-Pacific govts involved in EU data protection adequacy status: Japan, S. Korea, and India
With Japan, its about enforcement of its changes & if there really is remedy available to users on data protection harms, surveillance concerns.
S. Korea is still structuring its amended data protection legal framework. Also has taken radical surveillance steps during COVID19.
India perhaps most vulnerable - but could also do the most. While its Sup Court upheld privacy as a fundamental right, exec & legislature are dragging things. Data protection bill still in Parliament - current text gives wide powers to executive, fails to create independent DPA
In the order just announced in India extending the lockdown, once can see the reckless assault on the constitution that the Union Home Ministry is mounting. Short thread.
In an order under the Natl Disaster Management Act (which the NDMA should be actually announcing), MHA is "ordering" state govts, others to issue orders under Section 144 of the CrPC. Leave alone the Union Home Ministry even State CMs are supposed to defer to District Magistrates
+ a range of other directions. The National Disaster Management Act is a law passed by the Union Parliament, mostly under the concurrent list and residuary powers of the Union under the Constitution. It cannot be used to legally compel state govts on issues under the states list.
Currently the representative house for the world's largest democracy & the second largest internet market in the world is considering - for the 1st time - a data protection bill. MPs have rised in concern & opposition in the Lok Sabha to the bill that the Union Govt has proposed
After opposition by MPs, Minister Ravi Shankar Prasad reveals the Government's plan. Instead of letting it be referred in the normal process to the Standing Committee on IT, Minister Prasad is trying to push for it to be referred to a specific select committee formed for this.
For context, the current Standing Committee to the Indian Parliament on IT is coordinated by the Lok Sabha (House of the People) and chaired by an Indian National Congress MP Shashi Tharoor.