After a year of deliberations with think tanks, Justice Srikrishna Committee submitted the much-awaited report on Data Protection and the draft Personal Data Protection Bill 2018 to Ministry of Electronics and Information Technology (MEITY) last week. The aim of the law is to ensure a free and fair digital Indian economy and it is seen as an important pillar in setting up a framework which gives the Indian citizens full freedom to protect their data.
The development came at a time when citizens are reeling under a direct threat to their assets and it is believed that the protection of personal data holds the key to empowerment, progress, and innovation. The draft follows the implementation of the General Data Protection Regulation (GDPR) in Europe. It is said to have taken cues from the already present legal frameworks in different countries, such as GDPR in Europe, America’s laissez-faire approach and The Chinese Cybersecurity Law, will surely feature the country on the world map
For those who don’t know, GDPR offers the citizens complete control of the data and give them an option to total erase the data which is stored in the servers. In the US, the laissez-faire approach gives power to private entities to regulate data handling and imposes stringent obligations on the state. According to the Chinese Cybersecurity Law, the state will have the power to regulate the data. The does not give any choice to individual citizens and the government decides what data should be processed on the basis of it own privilege taking into account a collective interest of the society. The Indian law chooses a central path and gives the freedom to the citizens as well as to the government.
The draft submitted essentially notes that “the right to privacy is a fundamental right and it is necessary to protect personal data as an essential facet of informational privacy.” This means the the bill treats the data as a “matter of trust” and not an individual’s “property” asking the data fiduciary -- any person, including the State, a company, any juristic entity or any individual who alone or in conjunction with others determines the purpose and means of processing of personal data -- to be more responsible.
NASSCOM-DSCI welcomed the thrust on creating an institutional structure through a Data Protection Authority in the country as well as the importance of Privacy by Design.
“NASSCOM-DSCI has been advocating for a healthy balance between privacy and Innovation, given that India is today emerging as a preferred hub for innovation and STEM talent globally. Policies that govern data protection, storage and classification need to be carefully crafted given the global footprint of the IT-BPM sector. Service providers in India process financial, healthcare and other data of citizens globally. India is also the destination for R&D, Product Development and Analytics, Shared Services,” it said.
The bill recommends that an independent authority should be setup to oversee the regulation process and deal with all data-related issues in the country as well as prescribe penalties if the data fiduciaries violate the law. The law also takes into account the frauds and looks to minimise them. “This is a welcome move considering several other developed economies already have stringent data protection laws. The bill also proposes significant financial penalties for noncompliance which will compel organisations to relook at how they treat personal data and take appropriate measures to remain compliant. Specifically, in the context of corporate fraud investigation and related scrutiny of transactions, the bill covers the rights of data principles even during allegations of fraud and subsequent investigations,” said Jayant Saran, Partner, Forensic – Financial Advisory, Deloitte India.
“Considering most organizations today allow for reasonable use of company issued computers and other IT assets for personal use, it is likely that a significant amount of personal data resides on these assets. This may pose a challenge while seeking assets for investigations or other proactive fraud detection measures undertaken by the organization. In line with these new guidelines, organizations may need to relook at their internal IT policy and their fraud response policy and ensure that employee approvals are obtained prior to accessing personal data,” Saran added.
When it comes to the norms for cross-border transfer of personal data, the bill mandates that the data fiduciary will have to keep a copy of the data in the country. Additionally, personal data collected, used, shared, disclosed or otherwise processed by companies incorporated under Indian law will be covered, irrespective of where it is actually processed in India. However, the data protection law may empower the government to exempt such companies which only process the personal data of foreign nationals not present in India.
“Mandating localization of all personal data as proposed in the bill is likely to become a trade barrier in the key markets. Startups from India that are going global may not be able to leverage global cloud platforms and will face similar barriers as they expand in new markets,” NASSCOM-DSCI added.
What comes under sensitive personal data and new definitions
Sensitive personal data will include passwords, financial data, health data, official identifier, sex life, sexual orientation, biometric and genetic data, and data that reveals transgender status, intersex status, caste, tribe, religious or political beliefs or affiliations of an individual. Consent will be a lawful basis for processing of personal data and for consent to be valid, it should be free, informed, specific, clear and capable of being withdrawn. For sensitive personal data, consent will have to be explicit.
A data principal below the age of eighteen years will be considered a child. Data fiduciaries have a general obligation to ensure that processing is undertaken keeping the best interests of the child in mind. Further, data fiduciaries capable of causing significant harm to children will be identified as guardian data fiduciaries. All data fiduciaries (including guardian data fiduciaries) is told to adopt appropriate age verification mechanism and obtain parental consent.
Venkatesh Krishnamoorthy, Country Manager India of BSA | The Software Alliance said, “Our member companies are at the forefront of data-driven innovation and recognize the importance of fostering trust and confidence in the online environment. We therefore support the effort to create a comprehensive legislation to protect the personal information of citizens in India. However, including data localisation requirements in such legislation is contrary to the goals of promoting a Digital India, as global data transfers are critical to cloud computing, data analytics, and other modern and emerging technologies and services that underpin global economic growth. BSA recommends that India’s Personal Data Protection Bill avoid imposing undue restrictions on the ability to securely transfer personal data outside of India.”
For Amba Kak, Policy Advisor for Mozilla in India, the bill provides a strong foundation of protection for Indians’ privacy. “... but it is not without loopholes - in particular, the requirement to store a copy of all personal data within India, creating broad permissions for government use of data, and the independence of the regulator’s adjudicatory authority. We welcome the Government’s commitment to a public consultation process, which we hope will rectify the cracks in this foundation.”