Executing business across geographies and increased usage of digital technologies requires sharing of data, including personal data, across boundaries. Sharing data increases risk of data breaches and cybercrimes. With citizen data protection being of paramount importance, various countries have introduced stringent data protection regulations.
India already has “The Information Technology Act, 2000”, which contains clauses to restrict unauthorized access, use, and modification of sensitive personal data. However, it lacked specifics pertaining to contemporary data privacy requirements like consent management, breach notification, usage of data protection technologies, etc. Therefore, a special committee appointed by Indian government- has documented and released the first draft of “The Personal Data Protection Bill 2018”. This bill is a significant step towards protection of Indian citizen data.
What does Personal Data Protection Bill say?
The noteworthy points in the Data Protection Bill 2018 are given below.
· Clear definition of key stakeholders: Bill considers Data Fiduciary (that collects and may itself process data), Data Processor (that processes data on behalf of Data Fiduciary), Data Principal (whose sensitive data is in question – individuals or Hindu Undivided Family, company, firm, amongst others), as key stakeholders.
· Data Protection Authority (DPA): A new national body setup to oversee the overall compliance to data protection framework, in accordance with the proposed regulation.
· Data Protection Officer (DPO) Each Data Fiduciary will need to appoint DPO, who would ensure personal data processing in accordance with provisions stated in the bill.
· Data Principals’ Rights: Bill proposes various rights to Indian citizens, such as right to access personal data and confirm it’s processing, right to correct inaccurate or incomplete personal data, right to portability of data, and right to restrict or prevent disclosure of personal data. Another right called ‘right to forget’ can be exercised through an Adjudicating Officer from DPA. Bill does not provide explicit right to citizens to request deletion of their personal data. As a result, Data Principal cannot directly exercise the right by approaching Data Fiduciary. Secondly, there is no direct provision for Data Principal to demand deletion of data, which results into diminished levels of control of Data Principals on their own data.
· Consent Management: Before processing any category of personal data, Data Fiduciary must take explicit, informed, and specific consent from Data Principal, with purpose of collecting personal data clearly defined.
· Data Categorization: Bill identifies specific data categories as sensitive. Furthermore, within such sensitive categories, bill treats some data categories as being of elevated importance. Such categories can be identified by central government and will be called “critical personal data”.
· De-identification of Personal Data: Data Fiduciary shall utilize appropriate data protection controls such as data masking, de-identification, or encryption so that processing of personal data stays secure and in accordance with the law.
· Data Residency: Bill proposes that critical personal data must be processed in data centers physically located in India. In case of data transfer across border, at least one copy of sensitive personal data must be physically stored in India.
· Data Breach Penalty: In case of personal data breach, penalty of INR 15 crore or 4% of Data Fiduciary’s total worldwide turnover of the preceding financial year has been proposed.
· Data Breach Notification: In the event of data breach, Data Fiduciary needs to notify DPA “as soon as possible” or within time period specified by DPA. Further, DPA would decide whether Data Fiduciary would need to notify Data Principal about data breach. By not directly defining data breach notification period, bill lets DPA have greater control and authority to amend the duration (without going through parliamentary procedure). However, from the stand point of Data Principal, there is a reduction in transparency, since Data Fiduciaries are not exclusively mandated to notify Data Principals about breach.
· Exemptions: Bill identifies specific scenarios such as security of nation, various legal matters, some forms of research, some scenarios of journalism, certain Data Fiduciaries identified as “small”, amongst others, in which, exemptions will be made with respect to some clauses of bill.
Are we ready for a secure future?
It is about time that we in India, wake up to the reality of personal data protection. As an owner of some Indian enterprise, you will need to safeguard the data in accordance with this proposed bill, should it become a law. As citizens of India, you will need to be conscious of your data protection rights and learn to exercise the same.
Do you think the Personal Data Protection Bill will help us move towards a safe and secure future? What are your thoughts?