The draft bill on data privacy, submitted by BN Srikrishna committee, has laid enormous emphasis on consent of the person whose data is being used. After public comments are noted and Parliament clears it, the draft Bill will become law
India’s privacy and data protection debate finally got a draft bill last week. Headed by former Supreme Court judge B.N. Srikrishna, the committee of experts submitted a 176-page report, titled “A Free and Fair Digital Economy: Protecting Privacy, Empowering Indians", and a 62-page draft Bill, titled The Personal Data Protection Bill, 2018. The draft Bill will become law after public comments are noted and Parliament clears it.
Many businesses, including financial services, use consumer data for analysis of sales patterns and buyer behaviour, or creating a profile to ensure higher effectiveness of targeted marketing campaigns. In fact, many fintech companies rely heavily on data processing. In the absence of a law, there are no rules on who owned the data and whether a consumer can erase her data from a service provider.
There are at least three aspects of the proposed law that a consumer, especially a financial services consumer, should know about.
The committee has laid enormous emphasis on consent of the person whose data is being used.
“Consistent with our view that the digital economy should be free and fair, the autonomy of the individual whose data is the lifeblood of this economy should be protected. Thus, a primary basis for processing of personal data must be individual consent…Consent is often uninformed, not meaningful and operates in an all-or nothing fashion," the committee said, introducing the report’s chapter on processing of personal data.
The committee has identified passwords, financial data, health data, official identifiers which would include government issued identity cards, sex life and sexual orientation, biometric and genetic data, transgender status or intersex status, caste or tribe and religious or political beliefs or affiliations as sensitive personal data under a data protection law.
The committee says that consent must be “informed", “specific" and “clear". Most importantly, consent needs to be capable of being withdrawn as easily as it was given.
However, the committee has proposed that the government can be exempted from obtaining an individual’s consent, and has provided broad exceptions. For instance, Section 17 of the draft bill allows non-consensual data processing for “any public interest" or “prevention and detection of any unlawful activity" or “credit scoring", among other things.
“On one hand the draft sets out detailed provisions for consent and explicit consent. On the other, there are provisions which dilute the right of data principals (individuals) completely such as Section 17 and 22. These allow for wide discretion to be exercised by the Data Protection Authority under the Act. Tighter provisions including timelines for retention of and deletion of data, process, audit and compliance therefore would have been welcome additions," said N.S. Nappinai, an advocate specializing in cyber law.
If an individual feels that her personal data has been compromised, she has the option to raise a grievance with the data protection officer of the entity handling the data. If the dispute is not satisfactorily resolved at this stage, the individual would have the option to escalate it, even to an appellate tribunal. The process has been defined in Section 39 of the draft Personal Data Protection Bill.
Also, Section 32 defines the process for entities to report a data breach in their systems. It does not, as of now, give a timeline as to how soon the breach is to be reported.
Moreover, the authority will have the discretion to determine if the breach should also be reported to the data principals, which means the consumers whose data has been breached. “Section 32 (5) gives the discretion to decide if data principal should be notified of a personal data breach to the Authority. At the first step itself therefore this draft appears to be diluting individual rights," Nappinai said.
While it would take some time for the draft bill to turn into a law, the compliance by businesses might also take significant time after that. In case of EU GDPR (General Data Protection Regulation), businesses were given two years to comply with the regulations, once the framework came into force in 2016.
“In case of India, I think it will be very difficult to comply in two years given the complexities. So there has to be a gradual approach, depending upon the size of the company, its turnover and the amount of PII (personally identifiable information) data it is processing. For instance, a company having a turnover of, say, ₹ 50,000 crore, should comply in much faster time and a smaller business with a turnover of ₹ 500 crore should be given more time," said Akshay Garkel, partner, Grant Thornton India LLP.
There are penalties under the draft that “are quite stringent and strong deterrents", Nappinai said.
The real impact of the law will take years to manifest, but at least there is a roadmap in place.
Shivakumar Shankar, Managing director - India, LexisNexis Risk Solutions
Striking a balance
As the first step towards data privacy, the committee has struck a balance between privacy and the need to allow data to be used for legitimate and beneficial purposes.
Defining individuals as data principals and processors as data fiduciaries will help enhance the autonomy of individuals and place a great degree of responsibility on the processor to maintain trust.
Akshay Garkel Partner, Grant Thornton India Llp
Privacy is top priority
The way the draft has been written is pretty much in line with the EU GDPR (General Data Protection Regulation). The report is based on a triangular approach, where privacy of citizens is on top. But that does not mean that other businesses will be affected. The second edge of the triangle is the state holds certain rights and the third is that trade should not get affected.
A.K.Viswanathan Partner, Deloitte India
Lot will depend on institutions
There will be an impact on financial services companies and initially there will be some cost involved.
Financial institutions will have to get their head around on how to work towards it. Secure, vigilant and resilient are principles that apply to security and will also apply to privacy. The impact will vary based on organisations’ maturity in handling data.
N.S.Nappinai Advocate, Supreme Court and Bombay high court
India benefits from examples
The manner in which EU’s GDPR law is enforced is granular (with small territories having a large number of data protection authorities) and the individual’s right is given absolute primacy. To expect India’s draft law to meet such requirement will be utopian. Yet India benefits from examples and can leapfrog to a stronger enforcement regime faster.