The Personal Data Protection Bill which is expected to be tabled today in the Parliament is likely to water down many suggestions of draft Bill prepared by the Justice BN Srikrishna. According to reports, in a significant departure from the draft Bill, the Bill allows personal data to be stored and processed abroad, without requiring a mirror of the data in India. In addition, the Bill gives broad powers to government agencies to collect personal and sensitive data of citizens. Both of these were not part of draft Bill.
An earlier draft Bill had provided exemptions to the government for collecting such data for security, criminal investigations and crime prevention. It had, however, stipulated that these exceptions be authorised by a separate law and data collected only if it was “necessary for, and proportionate to” the government's interests.
With data becoming a new oil, the Personal Data Protection Bill is being brought to regulate the collection and storage of personal data and its usage, individual users' consent and the penalties for misuse of data.
The bill states that while personal data can be kept anywhere, sensitive personal data should be stored in India only and it can be processed with some conditions mainly consent. Besides this, it also states that critical data must be stored/processed only in India. Earlier copy of all personal and sensitive data was only to be stored in India while transfer of sensitive data was to be allowed in specific cases only.
The Bill to be tabled in Parliament does not include any of these limitations on the exemptions to government agencies from the law. Instead, it states the Centre can allow any agency to process such personal data so long it is “satisfied that it is necessary or expedient” for purposes such as “preventing incitement to the commission of any cognizable offence.”
According to Mozilla's Policy Advisor, Udbhav Tiwari, the latest bill delivers real privacy in regards to processing by companies and is a dramatic step backwards in terms of processing and surveillance by the government.
“Exceptions for government use of data, the verification of social media users, and the forced transfer of non-personal data all represent new, significant threats to Indians' privacy. If Indians are to be truly protected, it is urgent that the Parliament reviews and addresses these dangerous provisions before they become law,” said Tiwari.
Stating that every individual should have the right to ascertain the extent of exposure of sensitive and private data, Neelesh Kripalani, senior vice president and head, Center of Excellence (CoE) at Clover Infotech said, “By viewing the data as sensitive, critical and general as against putting it all in one bucket, the government will enable users to have a seamless digital experience while knowing that the data will be processed, stored and protected under a strict lawful guideline.”
“Also, the bill outlines a legal framework to preserve the sanctity of consent in data sharing and penalize those breaching privacy norms, thereby giving citizens more power and control over their digital personas and the associated data,” he added.
“The bill is expected to spell out a framework, which would include the processing of personal and private data by public and private entities. As per the draft proposal, hefty penalties will be imposed on entities that violate the privacy of users. This is a good step and we hope that the bill will have a proper balance of data privacy and protection, which will lead to increased transparency,” said Flock CEO Bhavin Turakhia.
According to Commvault area vice president India and SAARC region Ramesh Mamgain, the data localization aspect in the bill will need more discussion on the critical and not so critical parts and that discussion will evolve. A robust protection framework will further enable companies to manage and store data more securely in a structured format, tap actionable insights from data, unlocking its intrinsic value to drive innovation and growth for the Indian economy.
“The data protection bill will not only empower citizens to have command over where their data is stored, but will also prevent malpractices of phishing and misuse of personal data,” Mamgain said.
According to EY, the implementation of this bill will largely impact how consumer data is protected and kept private. User awareness towards their privacy has been on the rise lately and consumers would be seen making more privacy-conscious decisions and associating certain brands that provide greater privacy controls as better options.
The research firm said that although compared globally, several countries have already implemented similar data protection laws, however, this is a ground-breaking step for the nation towards building the significant base of ‘trusted' digital India.
“The data protection bill is like a double-sided sword, on one hand it protects the personal data of Indians by empowering them with data principal rights and on the other hand it bestows the central government with exemptions which are against principles of processing. The state can process even sensitive personal data when required, without an explicit consent from the data principals,” said EY
“However, the government will need to show that any processing of personal data is necessary and processing of sensitive personal data is strictly necessary for the exercise of any function of the state authorized by law for the provision of service or benefit. These are broadly-worded carve-outs can be misused and hence need to be carefully examined.”
According to Jaspreet Singh, Partner – Cyber Security at EY, the bill proposes that data fiduciaries are obligated to take necessary measures and implement policies to ensure privacy should be embedded and built into all the systems, applications and architecture at each stage of processing-collection, processing, usage, transmission, storage and disposal. Additionally, it requires data fiduciaries to implement appropriate safeguards to ensure security of the personal data, such as encryption and de-identification.
“The bill also defines a class of sensitive data fiduciaries for organizations conducting high risk processing. Such sensitive data fiduciaries will be obligated to take additional measures to demonstrate compliance- which includes conducting Data Protection Impact Assessments, appointment of a data protection officer and annual data protection audits by an external auditor,” said Singh.
According to various experts, the bill is expected to have a large impact on tech companies who will have to revamp their data processing and storage mechanisms.
