The Indian Government is all set to legislate the Personal Data Protection Bill of 2019, which seeks to protect the privacy of personal data, regulate the processing of critical and sensitive personal data and establish a Data Protection Authority of India (DPAI) for regulations. In other words, the bill would control the collection, storage, usage, processing, transfer, protection, and disclosure of personal data of Indian residents. This is an important development for global managers.
What does the Bill provide?
The Personal Data Protection Bill highlights some key features:
- Promote concepts of consent, storage limitation, purpose limitation, and data minimization.
- Put down obligations on agencies that collect personal data required for a specific purpose only, with the express consent of the individual.
- Grant rights on obtaining personal data of the individuals, make corrections to inaccurate data, update data, erase data, port data to other fiduciaries, and also the right to prevent the disclosure of personal data.
- Grant right of grievance to individuals to complain against data fiduciary.
- Authorize the central government to exempt any government agency from applying the proposed law.
- Establish Data Protection Authority of India (DPAI) to prevent misuse of personal data, protect the interests of individuals, ensure compliance, and promote awareness about data protection.
- Empower the Data Protection Authority of India (DPAI) to specify the code-of-practice to promote good practices of data protection.
- Update social media intermediary as a significant data fiduciary whose actions have a significant impact on electoral democracy, the security of the state, public order, or sovereignty and integrity of India.
- Authorize Adjudicating Officers for deciding on penalties and award compensation for violations and Appellate Tribunal to hear appeals against these.
What’s in for Organizations?
Unlike Chinese regulations that follow the isolationist framework and prevent global players like Facebook and Google from operating within its borders, India has followed the EU's General Data Protection Regulation (GDPR) in allowing international digital companies to conduct business under certain conditions. Yet, the bill carries additional provisions beyond the EU regulation. And India would always treat the data generated by its citizens as a national asset, store and guard it within national boundaries, and reserve the right to use that data to safeguard its defense and strategic interests. The Personal Data Protection Bill (PDPB) has many features that will require organizations to change their business models, practices, and principles. Many others will have to add operational costs and complexity. The concerns being raised will act as a primer for what Organizations need to keep in mind about India’s new regulation and the increase in data protection regulation around the globe. Additionally, understanding these issues will help digital companies to plan ahead, address future regulations, and decide whether to enter or exit certain markets.
Organizations need to Gear Up
The need to secure Data Privacy is quite urgent for Organizations, considering the emerging threat scenarios and implications of a data breach. With growing instances of data center decommissioning and migration to the cloud, companies are going through a technological shift. According to a study, by the year 2025, 80% of enterprises are expected to migrate away from on-premises data centers to the cloud. IT asset migration with faster device refresh cycles highlights residual data leakage as a key issue linked to disposal workflow. Keeping these intrinsic data privacy challenges in mind, lack of awareness, technological shift, and usage patterns in the emerging policy framework for data protection, it is obvious that most companies are not yet prepared to tackle them. Unlike America and Europe, where data privacy laws have been for long and now going through iterations to govern data handling at the micro-level, we are yet waiting for our first data protection statute. So, Organizations in India will have to scale up their skills, systems, practices, and policies to fall in line with the Personal Data Protection Bill. But there’s a whole lot that Organizations will need to understand to fall in line with the new law. Let’s have a closer look.
Ownership of Personal Data
The Bill proposes that the data provider is the owner of their own personal data. Now, this notion can impose an enormous implementation burden for digital companies. Organizations in the digital world would have to figure out how to comply with this requirement when the user demands erasure or recall of their personal data from a digital company. Digital companies will also have to think beyond their own data storage and usage, as they might have sold the data to a third party.
Three Classes of Data
According to the Personal Data Protection Bill, there are three categories of data from which a principal can be identified, Sensitive Data, Critical Data, and remaining data. Sensitive data includes data on financials, health, genetics, sexual orientation, transgender status, caste, and religious belief. Critical data includes data that the government stipulates from time to time as extraordinarily important like military or national security data. The third is a general category that is not defined but contains the remaining data. As mentioned above, the bill prescribes specific requirements that data fiduciaries must follow for the storage and processing of each data class. All sensitive and critical data is supposed to be stored in servers located in India. While critical data can’t be taken out of India, sensitive data can be processed outside the country but must be brought back for storage. For general data, there are no restrictions. Currently, digital companies operate in a seamless cyber world, where they store and process their data wherever is economically most efficient. However, the locational divide proposed by the Personal Data Protection Bill will impose additional costs on digital companies. This might result in subeconomic storage and processing capacities and may lead to “splinternet” or fragmentation of global digital supply chains.
Key Principles for processing of Personal Data
- Readily accessible statements of the policies and practices of the data controller.
- Types of personal data collected by the body corporate and purpose of collection and usage of such information.
- Reasonable security practices and procedures.
- Disclosure of information including sensitive personal data as and when it is requested by the data subject.
- Lawful Basis of Processing: The body corporate must obtain consent in writing from the data subject for the specific purpose for which the data would be used, before the collection of data. Sensitive personal information may only be collected if considered necessary. The companies must ensure that the information is being used only for the purpose for which it is collected.
- Purpose Limitation: The body corporate holding personal data should not retain that information for longer than it is required for which the date should be used lawfully. Although a specific time frame for the retention of personal information has not been provided yet.
- Retention: The IT Act does not provide any specific guidelines regarding the time frame for the retention of personal data. As per the IT Act, an intermediary is required to preserve and retain the information in a format for a period of time as prescribed by the Central Government. Intermediaries include telecom service providers, network service providers, web hosting companies, search engines, online marketplaces, and cyber cafes.
Depending upon volume and sensitivity of data processed, risk of harm from processing to data principals, types of technologies used by the data fiduciary, and turnover, the data protection authority will notify some data fiduciaries as significant. This notification would require the data fiduciary to register with the authority, as specified. As per Section 38, data protection authority would require registration by any data fiduciary at its discretion, even if it is not notified as a significant data fiduciary. For data processors and controllers, there are no statutory registration requirements. If a data fiduciary contravenes registration requirements, it will be liable to a penalty that may extend up to Rs. 50 million or 2% of its total worldwide turnover in the preceding financial year, whichever is higher.
Limits on how Start-Ups can monetize Data
While large companies, including Indian information technology companies and global Internet giants, may not have to put too much effort to tweak their systems to comply with the proposed Indian law, start-ups may find it tough to put systems in place. The government will likely give companies up to 2 years to be fully compliant with the proposals in the Data Protection Bill after it passes Parliament and becomes law. Indian startups will have to significantly restructure the way they capture data, store it, and have set up the consent mechanism. They will also require manpower who can well understand the law and rules. A cost element will also be involved and they may have to budget for storage and compliance cost, as well. Once the Personal Data Protection Bill is in force as a law, the start-up companies will only be able to collect personal data for clear, specific, lawful, and communicated purposes. Companies can collect only that data which is required for processing. The data cannot be repurposed for another use without informing the user of that change This can be particularly relevant for pilot projects that collect data without a definite purpose, in the hope of monetizing that data at some point in time. As per the new law, start-up companies will have to anticipate and inform consumers of the use cases and purposes of data collection in advance, even before processing any data, so as to ensure that the user consent that they obtain is valid. The real challenge is with government agencies and state government departments and large tech giants who deal with a lot of user data. Start-ups will have additional cost burden, but the implementation of privacy provisions will not be a challenge. The new data protection bill will have significant consequences for start-ups, but at the same time companies will benefit from engaging with the shaping of the Personal Data Protection Bill. Learn more about the details of PDPB.