The Government of India is all set to introduce the Personal Data Protection Bill in the current Parliamentary Session after the Union Cabinet extended its approval to the same. The Personal Data Protection Bill seeks to form a framework of handling personal data including its processing by public and private establishments.
The draft Personal Data Protection Bill was introduced by the Justice BN Srikrishna Committee in the year 2018. “This report is based on the fundamental belief shared by the entire Committee that if India is to shape the global digital landscape in the 21st century, it must formulate a legal framework relating to personal data that can work as a template for the developing world,” said the report.
The bill is also expected to govern how global giants such as Google, Amazon, Alibaba, Facebook and other will handle, process, store and transfer users’ personal data. Industry reactions on the development have begun to pour in and with regard to the same, Jaspreet Singh, Partner - Cyber Security at EY shares the following views:
Rights
In today's digital age, a primary point of concern for individuals is breach of their privacy and personal data. India has recognized this concern, however a little late, through its Data protection bill. In a billion-strong nation, there are nearly 500 million active internet users and India’s online market is second only to China. Internet penetration has grown exponentially in the last five years, thanks to the growth of startups, e-commerce companies and technology offerings across industries.
The implementation of this bill will largely impact how consumer data is protected and kept private. User awareness towards their privacy has been on the rise lately and consumers would be seen making more privacy-conscious decisions and associating certain brands that provide greater privacy controls as better options.
The personal data protection bill intends to confer controlling power in the hands of the data principles and has hence provides them with the right to access and correction, the right to data portability and right to be forgotten. It attempts to provide its citizens with comprehensive data protection rights and create a trust-based relationship between the data principal and the data fiduciary.
Exemptions to the Personal Data Protection Bill
Although compared globally, several countries have already implemented similar data protection laws, however, this is a ground-breaking step for the nation towards building the significant base of ‘trusted’ digital India. The data protection bill is like a double-sided sword, on one hand it protects the personal data of Indians by empowering them with data principal rights and on the other hand it bestows the central government with exemptions, which are against principles of processing.
The state can process even sensitive personal data when required, without an explicit consent from the data principals. However, the government will need to show that any processing of personal data is necessary and processing of sensitive personal data is strictly necessary for the exercise of any function of the State authorized by law for the provision of service or benefit. These are broadly-worded carve-outs can be misused and hence need to be carefully examined.
Security
The bill proposes that data fiduciaries are obligated to take necessary measures and implement policies to ensure privacy should be embedded and built into all the systems, applications and architecture at each stage of processing-collection, processing, usage, transmission, storage and disposal. Additionally, it requires data fiduciaries to implement appropriate safeguards to ensure security of the personal data, such as encryption and de-identification.
The bill also defines a class of sensitive data fiduciaries for organizations conducting high risk processing. Such sensitive data fiduciaries will be obligated to take additional measures to demonstrate compliance- which includes conducting Data Protection Impact Assessments, appointment of a data protection officer and annual data protection audits by an external auditor.