By Rudra Srinivas
Most people in India have never accessed the Internet through a computer. In fact, their encounter with the Internet is only through smartphones. As India’s consumers lap up Internet services, social media and other apps, they gladly submit their personal details to service providers in exchange for free use of their services. And these details are usually stored on servers outside India’s boundaries, which worried the Government of India.
In July 2017, the Government of India formed a committee of experts to study the issues related to data protection in the country. The committee was led by retired Supreme Court Justice BN Srikrishna. After working on it for a year, the committee submitted a draft of the Personal Data Protection (PDP) Bill in July 2018 and requested feedback from the public, Ministers, stakeholders, and other industry experts.
A revised draft of the Bill was submitted in the Lok Sabha, the lower house of parliament, on December 11, 2019, and has been sent to a joint parliamentary committee (JPC) for further deliberations before being taken up for passing. There was widespread anticipation for the passing of the Bill in 2019, however that has now been deferred. The Bill is expected to become a law or an Act in 2020.
What the Bill could achieve
The Personal Data Protection Bill (PDP Bill) is India’s first attempt to domestically legislate the mechanisms for the protection of personal data and aims to set up a Data Protection Authority in the country. The Bill regulates the processing of citizens’ personal data by government, companies incorporated in India, and foreign companies that are dealing with personal data of customers in India. Through the proposed law, the Government of India is rooting for data sovereignty by mandating certain class of data to be stored within Indian borders.
The proposed Bill also allows processing of data by fiduciaries with the consent of the individual. A data fiduciary is an individual or entity that decides the purpose of processing personal data. However, the Bill also permits personal data processing without consent in some cases like, when the government providing benefits to the individual, for legal proceedings, and in medical emergencies.
Kinds of Personal Data, according to the proposal
The proposed Bill forces companies dealing with people’s personal data to reconsider their data management practices. The Bill regulates three categories of data – Personal Data, Sensitive Personal Data, and Critical Personal Data.
The Bill defines Personal Data as any information that’s collected online or offline which can be used to identify a person, like name, address, phone number, location, shopping history, photographs, telephone records, food preferences, movie preferences, online search history, messages, devices users own, and social media activity.
Sensitive Personal Data includes health care data (like private information you share with a doctor or healthcare apps), financial data (banking and payments information), sexual orientation, biometrics (facial images, fingerprints, iris scans), caste or tribe, religious and political beliefs.
“Critical Personal Data” has not yet been defined by the government.
Advantages to Citizens
The proposed Bill gives high priority for individual rights on data protection. As per the Bill, citizens’ personal information can’t be collected, processed, and shared without their consent. Only the necessary data will be collected and can be used for pre-defined purposes only.
The companies are required to be clear and concise on what data is collected, its purpose, how it’s used, and for how long the data will be retained. The Bill also permits customers to move their data from one provider to another and allows users to know the number of companies with whom the data is shared.
Impact on Private Organizations
Private entities are required to place limits on data collection, processing, and storage of their customers’ data. They’re subjected to report any instances of security incidents to the regulator.
Additional responsibilities are also imposed on companies based on the volume of data they collect from customers. This includes periodic security audits, appointment of a data protection officer, and performing data protection assessments defined by the regulator. Social media platform providers will also be mandated to enable customers to verify their accounts.
Tough penalties have been proposed for failing to comply with the data protection requirements. According to the Bill, any organization sharing customers’ data without their consent will entail a fine of INR 15 crores (around US$ 2.1M) or 4 percent of its global turnover. Data breach and delay to address/report the same will result in a fine of INR 5 crores (US$ 0.7M) or 2 percent of global turnover. Individuals representing the companies can also be sentenced to term in prison.
Data Localization Requirements
In terms of data localization, the Bill allows transfer of personal data across borders without any limitations. However, restrictions are placed on “sensitive personal data” which needs to be stored in India. Sensitive personal data can also be processed outside the country if the regulator approves it. For “critical personal data”, the government will notify on its own, which needs to be stored and processed within the country.
Criticism on the Revised Bill
The Bill landed in controversy for being different from what was proposed by the expert group in its first draft in July 2018. The Indian government, through the proposed law, wants to allow law enforcement agencies and authorized third parties to have access to citizen data, to investigate crimes faster. In other words, it will exempt any government agency from legal obligations. This, of course, has led to a resistance, and delayed the passing of the bill. Justice BN Srikrishna, the chief architect of the draft law, also has concerns and said the law can turn India into an ‘Orwellian State’.
Several industry experts have opined that unaccounted access to personal data of customers might lead to data -misuse. “The Bill provides an exempt to any agency of government from the application of Act in the interest of sovereignty and integrity of India, the security of the state, friendly relations with foreign states, public order. The unrestricted government access is like a two-sided coin scenario. On one hand, the privacy bill is a part of the government’s efforts to have more control of data and help it track unlawful activities by using digital footprints. On the other hand, the user’s access may give the government unaccounted access to personal data of customers in the country leading to data -misuse and unauthorized access,” said Jaspreet Singh, cybersecurity leader at EY told CISO MAG.
Several privacy concerns have also been raised by experts over the revised draft Bill. The Bill states that personal and non-personal data may be processed without obtaining consent from the concerned user to help in the delivery of government services.
The changes that were made
Justice B.N. Srikrishna, who led the committee that drafted the 2018 PDP Bill, stated that there is no oversight on government agencies on accessing citizens’ data. Sharing his thoughts on the same, Pavan Duggal, the Advocate Supreme Court specialized in Cyberlaw and the Chairman of the International Commission on Cybersecurity law, said, “The chapter on exemptions under the Data Protection Bill represents a massive dilution of the bill by giving these exemptions to governmental agencies. However, we also need to be mindful of the fact that governments would want certain access to personal data for sovereign and governance reasons. But the way the current exemptions came out is independent. It is the classical piece of legislation which is going two steps forward and six steps backward.”
Impact on International Trade
Data protection discussions often revolve around discussions of transfer of data. In this regard, the proposed Bill has received a lot attention from global tech tycoons as well as Indian firms that work for international companies.
“There’s no denying that this bill, if becomes a law, will have a significant impact on foreign companies as well as trade between India and other nations.” He stressed that the bill takes a U-turn from the stance the Reserve Bank of India (RBI) took in April 2018. The RBI in its notifications stated that all data relating to banking must be physically in India and cannot leave Indian soil and that continues to be the position till today. “However, the proposed Bill is a complete walk down on the RBI stance as it allows sensitive data to be stored outside India,” Pavan Duggal told CISO MAG.
“The bill is a ground-breaking step for the nation towards building the significant base of ‘trusted’ digital India. It will change the way privacy is perceived and practiced by various businesses. Global organizations based in India and/or providing services will be particularly impacted. Considering the data transfer mandates, as most global firms which process personal data of Indians store their data at remote locations will face challenges in-terms of increased compliance costs,” suggested Jaspreet Singh.
Where the Bill Stands Today
The much-awaited Bill, which was expected to be passed by the end of 2019, has been put on hold for now following severe concerns raised about changes in the proposal. The proposed Bill was recently referred to a JPC in consultation with various groups for further analysis. The joint committee, with 20 members from the Lok Sabha or lower house, and 10 from the Rajya Sabha (upper house), will be headed by Meenakshi Lekhi, Member of Parliament. The committee is expected to submit their views before the end of the upcoming budget session.
The PDP Bill lays down provisions for thwarting misuse of personal data in the country. It mandates data processing activities like data protection, storage, and management. On the flipside, the Bill, if passed, could bring major implications for national security, foreign investment, and international trade.
Rudra Srinivas is part of the editorial team at CISO MAG and writes on cybersecurity trends and news features.