The Personal Data Protection Bill has suggested a host of recommendations to overhaul India’s current data protection regime. The bill covers both government and private entities and extends not only to processing of personal data by Indian entities but also covers foreign names that process personal data for offering goods or services or for profiling individuals within India. The bill excludes anonymised or non-personal data.

The bill envisages key concepts such as right to be forgotten, right to rectification, data portability, formation of an independent redressal mechanism in the form of Data Protection Authority (DPA), appointment of a data protection officer, data audits and standards for anonymised data.

The bill has highlighted two key stakeholders in the data ecosystem. A data subject who provides her data for any purpose is denoted as a “data principal" and an entity or an individual who determines the purpose and means of processing of personal data of the “data principal" is denoted as a “data fiduciary". The bill has also introduced the concept of “significant data fiduciary" which would be notified by the DPA after its constitution based on parameters such as sensitivity of personal data and the volume of personal data processed by the data fiduciary. 

Certain exemptions such as processing for research, archiving or statistical, domestic or journalistic purposes to small entities, have been proposed.

Core to the data privacy bill is consent and notice. Consent is now required to collect and process all personal data, not just the narrower category of “sensitive personal data" for which explicit consent is mandated. The definition of “personal data" is now predicated on just one criterion—whatever makes an individual identifiable. However, the definition of sensitive personal data has been expanded: while retaining existing categories, new categories such as genetic data and official identifiers (like Aadhaar number), transgender status, inter sex status, caste or tribe, sexual orientation, sex life, and religious and political belief have been added. In any transaction, notice is going to play a vital role. It must be provided in form and content (regarding collection, purpose, processing of personal data, time of retention and cross border transfer, and others), which is easily comprehensible by the data principal.

However, limiting the purpose and specific consent and notice for each transaction can be a double-edged sword. The bill advocates purpose limitation, explicit consent and notice, which is a welcome step. But these criteria should not end up in one-standard-fits-all models. Asking explicit consent from customers at every juncture will result in lengthier notices, disclaimers and formats for ticks or checks, leading to friction and drop-off’s midway. In the bill when the interest of data principal is adequately protected, the right to revoke consent is available at any stage of transaction. Therefore, single consent for multiple transactions or purposes should be allowed if it is explicitly obtained with due notice to the data principal. The bill must consider the anticipated innovations in the digital finance sector.  

New age customers want the convenience of digital finance on smartphones, and policymakers are also working towards greater financial inclusion by encouraging a transparent digital ecosystem. However, restricting the usage of financial data by financial institutions or fintech firms will impact financial inclusion and ability to provide life stage based product mapping. Financial products are complex and awareness is low, life stage handholding is equally important and should not be scuffled under layers of consents and notices making the process inefficient. 

Also Read: Draft privacy bill and its loopholes

Data protection regulation should complement innovation. Data analytics by financial institutions, including fintech firms, can help Indian customers to more effectively and efficiently engage with financial markets and products, at the right time. For example, a young prospective consumer who has just started his career will ideally look for credit card, a consumer durable loan and maybe a vehicle loan. Purpose limitation would create friction and hinder financial institutions in their process to analyse and propose the right product at the right age.

Only serious players will survive. The bill reflects upon accountability as the central principle for data protection and the proposed data protection norms and safeguards are certainly going to increase the accountability of companies and data processing/service companies. The implementation of data protection framework will increase IT expenditure with a data protection framework to be established, maintained and effectively monitored. This is likely to weed out non-serious players, unscrupulous data compromisers and sellers who will be isolated due to the risk of penalties, cost and difficult standards.

Also Read: 3 things to know about the new draft law on data privacy

As large-scale data breaches around Aadhaar and banking systems continue to dominate the headlines, we are nearly there with a legislation that will increase compliance standards for entities dealing with personal data and their exposure to penalties. All regulated entities should, therefore, adopt the recommendations early and prioritise compliance with security standards to minimise the risk of data breach without waiting for the data protection bill to translate into law (when enacted). The success is about self-regulation and industry-specific minimum standards that should become the new norm.

Parag Mathur is general counsel,

My Reads Logout