About 10 days ago, the Committee of Experts chaired by Justice Srikrishna (Srikrishna Committee), appointed by the Ministry of Electronics and Information Technology (MeitY) last year, released its final recommendations on what India’s data protection framework should look like. It also released a draft Personal Data Protection Bill, 2018, (PDP Bill).
In this piece, I juxtapose the PDP Bill with the Telecom Regulatory Authority of India (TRAI)’s recommendations on privacy and data ownership and the Reserve Bank of India (RBI)’s diktat on localising payment systems data. (See here and here for collated lists of articles on other aspects of the PDP Bill).
So, what do you think will happen to the RBI circular and the TRAI recommendations when (any version of) the PDP Bill gets enacted? Let us begin with some recent history.
In July, 2017, the Indian government tasked the Srikrishna Committee with developing a comprehensive data protection law for India. The committee then released a white paper for public comments, and later, in January, 2018, conducted four public consultations – one each in Delhi, Bangalore, Hyderabad, and Mumbai. Six months later, ending all the speculation around the timing of their release, the Committee came out with its final recommendations and the PDP Bill. Meanwhile, in August, 2017, TRAI began its own consultation on privacy, data security, and data ownership in the telecom sector. TRAI’s deliberations ran in parallel to the Srikrishna Committee’s own exercise, and culminated with the telecom regulator releasing its privacy recommendations on 16 July, 2018, less than two weeks before the Srikrishna Committee released its own.
TRAI was not the only regulator to have jumped on the data protection bandwagon, pending the release of the Srikrishna Committee’s final recommendations. In April, earlier this year, the country’s financial regulator — the RBI — mandated that payment systems data be localised, which means it has to be stored only in India. While TRAI’s recommendations are just that — recommendations — the RBI’s mandate came into force immediately. Payment systems providers have until 15 October, 2018, to comply with the norm and inform the RBI about their compliance.
The actions of TRAI and the RBI did not go down well with the Srikrishna Committee. Soon after TRAI released its recommendations, it was reported that the Committee was upset with the timing of the telecom regulator’s move, as it would delay the release of its own final recommendations. As regards the RBI’s move, at the press conference to release the Committee’s final recommendations, Justice Srikrishna opined that the financial regulator had jumped the gun with its circular. The Committee’s displeasure with TRAI and the RBI aside, sectoral regulators will play a key role in taking forward India’s data protection framework. Justice Srikrishna has himself previously recognised this. – Inc4