wordpress blog stats
Connect with us

Hi, what are you looking for?

Data localisation might result in a negative GDP: SFLC.in responds to MEITY’s questions on the Data Protection Bill

Graphic representing community data

“The Data Protection Authority telling the data fiduciary to notify data principals can be long enough to give time to the miscreants to use information to the detriment of the data principals,” said SFLC.in in its response to the additional comments sought by the Ministry of Electronics and Information Technology (MEITY) on the Personal Data Protection Bill, commenting on data breaches.

The ministry had privately sought responses to fresh questions on the data protection bill from select stakeholders – a development MediaNama made public last month. Commenting on the process, SFLC.in said that “a secret process with selective participants is harmful to the democratic nature of our country”. They also appealed that MEITY be “more transparent and open” with such processes in the future. Please note that SFLC.in wasn’t among the few stakeholders that the ministry sought comments from. Also, the questions asked by MEITY didn’t appear to be clarifications, and some of them covered new points of discussion not covered in the data protection bill consultation.

Here are detailed notes from SFLC.in’s responses:

‘Data Localisation might result in a net negative GDP’

Study economic and environmental impact of data localisation: It is not necessary to restrict the storage of any category of data within India. The storage of a very narrowly defined category of data such as state secrets could be restricted to India. A detailed study is required on the economic, environmental and opportunity costs associated with storing data within India before taking such a step.

Data localisation might hurt Indian businesses: Many developing nations look towards India as a role model for creating their own laws and frameworks. The perceived benefits of storing data locally, i.e. generating new jobs, may potentially be offset by an associated increase in the opportunity cost for Indian entrepreneurs that wish to expand their businesses to other countries, only to be faced with data localization costs in those countries.

Advertisement. Scroll to continue reading.

Fix MLAT (mutual legal assistance treaty) process: Alternative methods to achieve lawful access to data can be developed, as the Internet connects devices across the globe, and any data stored anywhere in the world can be accessed remotely through the Internet. Our first priority should be to fix the MLAT process. This is already happening through global developments like Budapest Convention and other international efforts to standardize digital privacy and data sharing.

‘Draft PDP Bill doesn’t impose adequate obligations on the data fiduciary’

Data breach notification obligation shifts responsibility from data fiduciary: The data breach notification obligation under the draft Bill is insufficient as it shifts the responsibility for assessing the potential damage from the data fiduciary to Data Protection Authority of India (DPAI), said the organisation.

It also causes a delay in addressing data breaches: In its current state, the draft Bill does not consider the fact that many forms of harms to data principals can be mitigated if the data principals are immediately made aware of a breach.

  • “A delay will be caused by the intermediate step of first notifying DPA, and then waiting for DPA to reach that particular breach notification, followed by time required for DPAI to adjudge the significance of that breach and whether data principals deserve to know that their data has been breached,” said SFLC.in.

Right to be forgotten is insufficient: The right to be forgotten is insufficient as the draft Bill does not provide a way for data principals to request for deletion of their data. If their data is being held in trust by the data fiduciary, it is only natural for them to be able to request for their data to no longer be held in trust, SFLC.in said.

Right to be forgotten requests should be passed to other entities who hold the relevant data: If a request is made under the right to be forgotten, it should be passed on by the data fiduciary to all other entities that have been provided a copy of that data, the organisation submitted.

‘DPA should have full oversight without govt’s interference’

DPA should be allowed to operate freely: It is necessary that since the DPA is meant to have an oversight on every government and non-government entity that deals with personal data, it must be allowed to operate freely.

Draft PDP Bill diluted DPA’s role: The draft Bill has diluted the role, scope, powers and authority in favour of retaining powers in the hands of the central government. The DPA is meant to have the highest level of expertise in this matter, with oversight over all entities that deal with personal data.

Advertisement. Scroll to continue reading.

Policy governing non-personal data: do we even need it?

No concept of community data arising from personal data: On one hand, the draft Bill suggests that data fiduciaries hold data in trust, i.e. they are not the owners of the data. The data still belongs to individuals. If that is the case, as it should be, then no concept of community data can arise from personal data as individuals cannot be forced to give up that which is theirs, except in the form of purely collective anonymized data from which individual entries cannot be retrieved. As long as individual entries can be retrieved, it will remain possible to re-identify that data.

E-commerce data ≠ collective anonymised data

E-commerce data is not equal to collective anonymised data: While a case can be made for free and open access to collective anonymized data for research and reporting, the same cannot be said for any form of ‘community data’ or ‘e-commerce data’. These forms of data are derived from personal data without sufficient safeguards for the protection of individuals. The government cannot legally enable private profiteering at the cost of the Right to Privacy of individuals. Any such clause will be subject to challenge before the Supreme Court of India as a violation of the Right to Privacy.

[embeddoc url=”http://staging.medianama.com/wp-content/uploads/SFLC-comments.pdf” download=”all”]

Written By

MediaNama’s mission is to help build a digital ecosystem which is open, fair, global and competitive.



Looking at the definition of health data, it is difficult to verify whether health IDs are covered by the Bill.


The accession to the Convention brings many advantages, but it could complicate the Brazilian stance at the BRICS and UN levels.


In light of the state's emerging digital healthcare apparatus, how does Clause 12 alter the consent and purpose limitation model?


The collective implication of leaving out ‘proportionality’ from Clause 12 is to provide very wide discretionary powers to the state.


The latest draft is also problematic for companies or service providers that have nothing to with children's data.

You May Also Like


Google has released a Google Travel Trends Report which states that branded budget hotel search queries grew 179% year over year (YOY) in India, in...


135 job openings in over 60 companies are listed at our free Digital and Mobile Job Board: If you’re looking for a job, or...


Rajesh Kumar* doesn’t have many enemies in life. But, Uber, for which he drives a cab everyday, is starting to look like one, he...


By Aroon Deep and Aditya Chunduru You’re reading it here first: Twitter has complied with government requests to censor 52 tweets that mostly criticised...

MediaNama is the premier source of information and analysis on Technology Policy in India. More about MediaNama, and contact information, here.

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

Subscribe to our daily newsletter
Your email address:*
Please enter all required fields Click to hide
Correct invalid entries Click to hide

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ