Draft data protection bill: From 3 global overarching approaches, Srikrishna panel carves out a 4th path

Union Law Minister Ravi Shankar Prasad accepts a report on ‘Data Protection Framework’ from Justice BN Srikrishna, in New Delhi on Friday, July 27, 2018. (PTI Photo/Kamal Singh)

As it draws from the three overarching global approaches on data protection — the US ‘laissez-faire’ approach to regulating data handling by private entities with stringent obligations on the state, the European approach where data protection norms are founded on the need to uphold individual dignity and the Chinese law that focuses on the interests of the collective over the individual — the Justice B N Srikrishna panel carves out, what it calls, a fourth approach. One that focuses on allowing “data flows for a growing data ecosystem” and creating “a free and fair digital economy”, where citizens come on top, with the state having some responsibilities even as the protection does not come at the cost of trade and industry.

The recommendations, the panel notes, are only relevant to India, but to all countries in the Global South “which are looking to establish or alter their data protection laws in light of the rapid developments to the digital economy”. Each of the three broad data protection regimes is founded on each jurisdiction’s own understanding of the relationship between the citizen and the state in general, and the function of the data protection law, in particular. In the US, the report notes, the approach to regulating data handling by private entities while imposing stringent obligations on the state is based on its constitutional understanding of liberty as freedom from state control.

Also read | Draft data protection: Changing who can use Aadhaar data, among key suggestions

On the issue of the permissibility of cross-border transfer of personal data, the report focuses on the imperative of cross-border flow of personal data that may have to be balanced with India’s interests in enforcing its data protection law in a successful manner. Effective enforcement will invariably require data to be locally stored within the territory of India and this would mean that such a requirement, where applicable, would limit the permissibility of cross-border transfers as outlined above.

Different jurisdictions have followed varying practices on this issue. Whereas China localises internet-based mapping services, critical information infrastructure and banking data, Canada localises public interest data held by government agencies, schools and hospitals, Australia localises health data. In certain cases, such as in jurisdictions like China and Russia, the data that is localised is not permitted to be transferred outside territorial borders. In other countries such as Vietnam, a copy of the data is kept on a local server, but data transfer outside the jurisdiction is also permitted.