Photo: Bombuscreative
Photo: Bombuscreative

Getting serious about data protection, but it’s still a long way to go

In a nutshell, this is one of the most stringent data protection bills ever drafted in India

On 27 July, India got a glimpse into what could be its own version of the EU GDPR (General Data Protection Regulation). GDPR aims at protecting personal data of EU citizens and brings accountability to companies, globally, dealing with such data to prevent misuse and unauthorised access. 

Indian companies that store, process or deal with data of EU citizens are still struggling to meet the stringent demands of this regulation where a defaulter will be fined €20 million or 4% of the annual global turnover, whichever is higher. An arrest of a local company representative in the EU is also on the cards. 

The draft Indian Personal Data Protection Bill or PDPB was tabled after nearly a year of consultations by a committee headed by justice B.N. Srikrishna. While it has garnered initial criticism from industry circles as being overly stringent, less flexible, a threat to personal privacy and difficult to implement, it also brings about positive change in the way India starts taking personal data protection seriously. The draft law makes it mandatory for companies to disclose any data breach involving personal data which is a serious missing mandate in any available regulations. 

The draft bill includes an extensive definition of “data" and includes AI and automation as processes. It defines personal data relating to an individual’s identity and traits. Sensitive personal data can’t be openly shared and includes passwords, financial data, health data, official ID, sex life, sexual orientation, biometric data, genetic data, caste status, religious or political belief. 

In present times, the flood of spam calls and SMSes hint that such data is freely exchanged between companies and agents under the excuse of implicit user consent as part of an agreement signed off by an Indian citizen without much deliberation. 

The draft bill defines the act of data handling by defining terms such as processing and profiling. This includes collection, processing, storage, alteration, indexing, dissemination, erasure or destruction. “Profiling" is interestingly defined as an act of analysing personal data to identify a person’s past behaviour and predict her future behaviour. This may hint at the political sensitivities around social media analytics. The draft also identifies entities that deal with data and will be regulated, including persons, state, company or any juristic entity. It includes the “right to be forgotten", in line with the GDPR, where an individual can request for personal data to be deleted. 

Pulling another leaf out of GDPR, it has raised the aspect of extra-territorial jurisdiction where, in addition to Indian entities, the draft bill is applicable on foreign entities (government and companies). Also, it provides that all critical personal data should be processed only in India. 

In the past, US-based trade groups representing credit card processing firms have protested against a Reserve Bank of India (RBI) directive, which said in April that all payments data should be stored locally in India within six months. Justice Srikrishna in a press interview said that a new data protection bill would override all other notifications and regulations on data storage. 

It is possible that in future regulators such as RBI would release their own detailed guidelines to banks to help them practically adopt the PDPB. The success of the bill also lies on the general consensus among various regulators and government agencies. 

Contrary to popular belief, the draft bill does not give unrestricted access to the government, but grants special concessions to the state for provision of services which is predominantly designed keeping Aadhaar-based services in mind. 

It also marks formation of the Data Protection Authority (DPA) of India in line with DPAs in the EU. The DPA would regulate and enforce the provisions of the draft law. There are penalties too.

Also Read: Bit by byte protecting her privacy

In a nutshell, this is one of the most stringent data protection bills ever drafted in India putting the country on a par with global regulations on data protection. The draft not only clearly defines the aspects it covers but also gives power in the hand of the data principal or individual to protect personal data and identity. 

However, just like GDPR, companies will need significant time and resources to implement processes that will comply with the PDPB. It may be argued that it may adversely impact startups and small and medium enterprises or SMEs. However, in due course all the cloud solution providers that service most of the startup and SME ecosystem in India would have to comply. 

It is a well-drafted bill but the government, DPAs, companies and regulators would have to work together to ensure it’s a smooth ride, while keeping individuals’ interests at the core. 

Amit Jaju is senior MD and India head, FTI Consulting

Close