Ashwini Vaishnaw says digital personal data protection bill not prescriptive | Q&A

A: The focus has clearly been on giving the fundamental right as pronounced by the honorable Supreme Court of India, putting that in a very robust legal framework. So, all the basic principles of digital personal data protection, the principle of purpose limitation, the principle of data minimization, the principle of storage limitation, the principle of accuracy, the principle of reasonable safeguards, the principle of accountability, all these principles have been very clearly defined in the bill.

So, once we put those absolutely accepted principles, globally accepted principles in the law, then it becomes very robust. The carve outs, which have been done, for example, innovation, the carve outs are very limited in a sense that they have a proper safeguard behind them. For example, startups - if a startup wants to do something, experiment something, we will be creating Regulatory Sandboxes, in which they will not violate the principles, but the compliance burden will be lesser. And once a product or a service is tested, then it becomes like any, that's why we didn't use the word startup. Because a startup can be a unicorn also, startup can be like having personal data of millions of people. So we have used the word in a very careful way. So that's the way by which we are balanced practically,

A: Industry, citizens, citizens’ organisations, experts, legal experts, and global experts, they've all praised this draft. They have praised the formulation of this bill, they have praised the language of the bill, they have seen that the bill is principles-based, and this is not a prescriptive law. They have praised the very limited number of exemptions given to the state. They have praised the fact that a very flexible implementation structure has been designed, which is digital by design. We should be seeing the rollout very soon. We have already been working on the rulemaking and the digital implementation process. We have already been working on it. So it should be rolled out very soon.

A: If you look at GDPR, there are 16 exemptions and I'll be very happy if you take a look at the GDPR exemptions. Exemptions for national security, for defense, for crime prevention, for crime detection, of course, they will be everywhere, but there are exemptions for ethics in professional matters, there are exemptions - now compared to that, our exemptions are very limited, very focused exactly as per the constitutional mandate.

For example, medical emergency. Is that a time when you should be filling up forms or you should be trying to protect or save the person? Disasters, then the constitutionally defined carve outs, national security, public order, friendly relations with the countries right? These are clearly defined time tested, Supreme Court has given judgments. So I would say our law is significantly more stringent compared to the other laws.

And also one good thing about our bill is it is not prescriptive. If it is prescriptive, then what happens is as the technology changes, the law will generally not be able to catch up with it first. Second, the compliance burden for the citizens as well as the industry will become very high. So we have kept it principles-based.

A: Absolutely, the government is equally accountable. The carve-outs, the exemptions are very specific. They are as per the constitutional mandate. There is nothing which basically differentiates the government data fiduciaries.

See even the use of word fiduciary, in fact, I'm so glad that one of the speakers in the parliament today acknowledged this, recognized this, that using the word fiduciary itself means that we are placing the trust in the person. Compare this with the other global laws, where the word used is data controller. It's a very big difference, very important difference. We are saying that yes, the person who is collecting data has to behave like a trustee, behave like a responsible organization, as and when the data is processed.

A: See all global laws, if you see for example, it will be written competent authorities for prevention, detection, prosecution of crime. That is the way it is written, exactly that is the way we have written. These are global standards, which have got established all over the world now.

A: Absolutely not. It's a very unfair criticism, somebody who has not studied, they'll make this criticism. Why I'm saying that? RTI, clearly, when the Puttaswamy judgement came from the honorable Supreme Court of India. That very same day the contradiction between RTI and Right to Privacy has to be cleared. So what we have done is a legislative correction, right? Even today, under any law, if the public servants including the elected representatives or the appointed government officers, whatever disclosures they are supposed to make, under relevant laws, they will have to make, they will continue to make. This in no way dilutes the RTI.

A: Very significant point. See, how does independence come? Independence comes firstly from the law. Second, the government doesn't get the right to modify the terms and conditions of appointment. Those are defined by the law. For example, Securities and Exchange Board of India (SEBI) chairperson – even if that person is appointed by the government, the rules regarding the appointment, the rules regarding to tenure, the provisions related to the compensation, everything is defined prescribed in the law. Exactly same thing is there in the case of Data Protection Board. Independence has been defined and properly structured in the law itself.