Srikrishna Commitee and draft data bill show the way ahead, but lose GPS signal on some stretches. The roadmap towards securing citizens' sovereignty over their data and fundamental right to privacy has been set down by the Srikrishna Committee report and the draft Data Protection Bill. But potholes remain, roadworks will be in progress for a long time yet many details must be worked out through case law and the bill is hardly bulletproof, though it seems to draw inspiration from Europe's cast iron General Data Protection Regulation (GDPR). The bill defines the essentials of a regulated and uniform data ecosystem, on the lines of the GDPR, laying out the conditions under which data may be collected, stored and processed, consequent fiduciary responsibilities and penalties, and the appointment of data protection overseers. It also interprets personal data in an open ended manner, to include identifiers like caste, religion, political beliefs and associations, gender, health and financial data, official identifiers everything that can be cross indexed to arrive at the identity of an anonymised person. The notion of informed consent is central to the collection and processing of data. However, there are significant departures from the GDPR. Most egregious is the infiltration of 'reasonableness' and 'practicability', which have proved to be the landmines of Indian legislation, particularly the Income Tax Act. Since what is reasonable and practicable is discretionary, the door is opened to corruption and unnecessary case law. India has been online for over two decades and the contexts in which these terms will be read are clearly understood. Spelling them out would have reduced the burden of the courts. Besides, while recognising the right to be forgotten, which was established by Spanish case law years ago, the draft is silent on the right to deletion, which is as important.