Can a Data Protection law soon become a Reality for India?
Now that the justice BN Srikrishna committee has submitted a draft Data Protection as well as the Personal Data Protection bill, 2018 (pdf) to the Narendra Modi government, the wait for comprehensive data protection rights may soon be over.Though it is not devoid of loopholes, this bill will form the framework for India’s data protection laws, prescribing how organisations should collect, process, and store citizens’ data.
The committee’s report recommends that the law should be applicable to processing of personal data if such data has been used, shared, disclosed, collected or otherwise processed in India. However, it asserts that in respect of processing by fiduciariesthat are not present in India, the law shall apply to those carrying on business in India or other activities such as profiling which could cause privacy harms to data principals in India.
Additionally, personal data collected, used, shared, disclosed or otherwise processed by companies incorporated under Indian law will be covered, irrespective of where it is actually processed in India. However, it empowers the Centre to exempt companies which only process the personal data of foreign nationals not present in India.
The Data Protection Bill if acceptedwill mandate companies to store one copy of all personal data within the country. The committee however has left it to the government to define which kind of personal data can be qualified as “critical” which will have to be stored only in India.
The Bill that will be subject to further review once it is introduced in parliament, showcases India’s growing concern for data privacy.The government has also sought comments from the general public on the draft Data Protection Bill which can be submitted by September 10. An August 14 notification on its The Ministry of Electronics and Information Technology website reads, "MeitY solicits comments from general public on the Draft Personal Data Protection Bill by 10th September 2018."
Experts have said that the Bill has been modelled partly on the European Union's General Data Protection legislation and India’s Information Technology Act, 2000. It runs into a total of 112 sections.
Data Protection in current scenario…
If looked into the internet, data protection is the process of protecting data and involves the relationship between the collection and dissemination of data and technology, the public perception and expectation of privacy and the political and legal underpinnings surrounding that data. It aims to strike a balance between individual privacy rights while still allowing data to be used for business purposes.
According to experts, data protection should always be applied to all forms of data, whether it be personal or corporate. It deals with both the integrity of the data, protection from corruption or errors, and privacy of data, it being accessible to only those that have access privilege to it.
Data protection today is the need of the hour for global citizens as well as enterprises and governments. Data protection has generally been weak on the priority list of organisations for far too long,but the scenario is slowly changing for many of them. The EU's GDPR guidelines that came into effect in May this year may have been the guiding force behind initiating a debate on this matter.
In the era of internet, anyone sitting anywhere in the world can access the data assets residing anywhere in the world.However there has been a discussion going on around the fact of whether there is any threat if the data resides outside the country.
“If the concern is around the data protection then data localization without appropriate data protection regime wouldn’t serve any purpose,” asserts Rana Gupta, Vice President - APAC Sales, Identity and Data Protection, Gemalto. “However if the concern is around company sharing the data to foreign government under the local judgment/directions, then it helps mandating companies to keep data locally.”
He continues, “But considering that in many cases, the interaction data being generated (say for example on Facebook, Twitter, WhatsApp etc) will involve interactions between individuals from multiple nationalities, then it is perceivable that the same data will be available in multiple geographies. Especially in cases where the localization is being sought, there do will be a foreign/MNC entity involved unless it is just intended to force Indian companies to not use the foreign CSP.”
Considering most organizations today allow for reasonable use of company issued computers and other IT assets for personal use, it is likely that a significant amount of personal data resides on these assets. This may pose a challenge while seeking assets for investigations or other proactive fraud detection measures undertaken by the organization. In line with these new guidelines, organizations may need to relook at their internal IT policy and their fraud response policy and ensure that employee approvals are obtained prior to accessing personal data.
What industry expects from the Bill?
As a security company, Rana seeks to have this bill do following things –
• Mandatory breach notification so that we all start to understand the severity of problem. One cannot address a problem if one doesn’t understand the extent of the problem itself.
• Categorization in terms of penalties to be imposed on different kinds of organizations. The biggest burden should be put on the Government Departments, Defense Organizations and PSUs as any breaches into those organizations will likely have the biggest dent on India as a society.
• It is hoped that this bill raises the importance of data centric security and seeks to have the organizations apply the concept of privacy by design (encryption) and by default (processing the minimum amount of sensitive data).
Once the Data Privacy Bill mandates certain requirement, it is bound to shake up the existing ecosystem and customers will ask of simpler ways to implement the security requirements as asked for by the Data Privacy Bill. It is expected that in longer term it shall simplify the adoption of security practices by nudging the organizations to build privacy by design rather than thinking of it as an after-thought.
Says Jayant Saran, Partner, Forensic – Financial Advisory, Deloitte India, “The Bill covers diverse aspects of data protection including collection, processing and analysing of personal data. It also lays emphasis on protection of personal and sensitive data of children. The bill has placed emphasis on defining various stakeholders and participants such as fiduciary (entity requesting processing of personal data), processor (analyser of said personal data), and principal (individual to whom the personal data belongs). This is a welcome move considering several other developed economies already have stringent data protection laws.
The Bill also proposes significant financial penalties for noncompliance which will compel organisations to relook at how they treat personal data and take appropriate measures to remain compliant. Specifically, in the context of corporate fraud investigation and related scrutiny of transactions, the Bill covers the rights of data principals even during allegations of fraud and subsequent investigations. For example,
• In order for the data fiduciary (the client) to forensically preserve data of the company issued IT assets (laptops/desktops/mobile phones etc.) of the data principal (suspect/target/custodian) to conduct the investigation, consent and prior intimation for collecting the data of said data principal will be required as these devices may contain personal information relating to the data principal.
• The data fiduciary will also have to disclose the reason for collecting the data and the proposed retention period of the collected data to a competent Authority as defined by the bill.
Further, data fiduciaries and data processors alike may be liable for damages in case there is a violation of the terms of the bill such as
• During a personal data security breach
• If the data processor acts outside the instructions of the data fiduciary,
• If either the data processor or the data fiduciary is negligent or does not incorporate adequate safeguards while analysing the data.”
“The committee’s recommendation for setting up a Data Protection Authority (DPA) which will be responsible for monitoring, enforcement, standard setting, awareness creation and grievance handling is a reflection of a comprehensive approach towards data management in India. With several instances of data leaks on both individual as well as organizational level that have taken place in the past had created an alarming situation across the country. With the regulation taking form, citizens of the country can now be assured of the safety of their sensitive data. Similar to EU’s GDPR, the Data Protection Law in India is a much needed regulation which will institutionalize processes for organizations across all sectors to better manage both primary and secondary,” says Ramesh Mamgain, Area Vice President, India and SAARC Region, Commvault.
“Our member companies are at the forefront of data-driven innovation and recognize the importance of fostering trust and confidence in the online environment. We therefore support the effort to create a comprehensive legislation to protect the personal information of citizens in India,” says Venkatesh Krishnamoorthy, Country Manager India, BSA | The Software Alliance. “However, including data localisation requirements in such legislation is contrary to the goals of promoting a Digital India, as global data transfers are critical to cloud computing, data analytics, and other modern and emerging technologies and services that underpin global economic growth. BSA recommends that India’s Personal Data Protection Bill avoid imposing undue restrictions on the ability to securely transfer personal data outside of India.”
“The Srikrishna panel report has laid down numerous vital points when it comes to protecting the data of Indian citizens- the most crucial being the creation of DPAI - the intended watchdog for data protection in India. Privacy advocates across the country will be hoping that DPAI's powers are not thinned when finally executed. The panel has also included provisions to prohibit organizations from using privacy as a veil to stall transparency. The penalities proposed by the panel report, if administered as is, will be a great deterrent and effectively ensure data assurance for Indian citizens,” comments Farrhad Acidwalla, media entrepreneur and founder of CYBERNETIV.
However the Bill is not without loopholes, as pointed out by Amba Kak, Policy Advisor in India. The panel is facing criticism for being too lenient and lacking in clarity on key issues and many has emphasised that the Bill in its current form should not be introduced in Parliament and further consultations must take place.
“This bill provides a strong foundation of protection for Indians’ privacy, but it is not without defects - in particular, the requirement to store a copy of all personal data within India, creating broad permissions for government use of data, and the independence of the regulator’s adjudicatory authority. We welcome the Government’s commitment to a public consultation process, which we hope will rectify the cracks in this foundation,”Amba says.