New Delhi, October 10: Mozilla’s commitment to user security and privacy is evident not just in its products but also in its global policy work. In India, Mozilla has been one of the front-runners in support of a strong data protection law.
Today, Denelle Dixon, Mozilla’s Chief Operating Officer, Jochai Ben-Avie, Senior Global Policy Manager and Amba Kak, Public Policy Advisor filed a detailed submission to the Ministry of Electronics and Information Technology (MEITY) on the Personal Data Protection Bill, 2018. We are supportive of all of the work that it has taken to get to this point. The intention of our filing is to acknowledge that work, support the strengths of the Bill and recommend areas for improvement. The swift progress on the Personal Data Protection Bill 2018 and the current consultation progress brings India one step closer to a data protection framework that could be a model to the world.
Mozilla’s Public Policy Advisor Amba Kak summarizes the submission as follows, and the full submission is available on Mozilla’s official blog:
“We endorse the comprehensive and strongly worded set of obligations in Chapter II that apply to both, government and private actors. In particular, we welcome the affirmation of core privacy principles which require that these entities should limit the amount of data they collect and justify for what purpose they collect data. Yet there is some way to go to improve this bill in its journey to law, to make sure this progress is not undone.
We think certain key provisions from the GDPR are missing that should be included, such as the right to object to processing; as well as the legal ground to process data that is necessary for the performance of contract.
We also recommend strengthening provisions that apply to government. In the legal ground that enables distinct treatment for government use of data, we recommend narrowing down the provision to only core public functions and not all “services and benefits”.
While the Bill mandates that data processing by law enforcement agencies is necessary and proportionate, we recommend the government must move swiftly to amend existing criminal law to bring it in compliance with this standard.
On the issue of security breaches, we recommend areas of improvement, including that in case of high risk breaches, data fiduciaries should be obligated to communicate directly to users without undue delay. A defence or exemption for bona fide security research must be included in Section 92.
On data localisation, we recommend that the broad requirement to store a copy of all personal data in India should be removed. Categories of critical personal data that are currently localised in India for strategic or security reasons should be clearly stated, and the open-ended mandate to the Central government to notify further categories should be removed. Also, the requirement to have the data protection officer “based in India” should be removed and instead only require registration of contact details.
Finally, the independence of the regulator is critical to the successful enforcement of this law. Conditions relating to the qualification, manner, and terms of appointment of Adjudicating officers must be stipulated in the Bill to prevent excessive discretion to the Central Government.”