The Personal Data Protection Bill (PDP) 2019 was introduced in Lok Sabha on December 11, 2019 and is expected to come out as law in 2020 once it is reviewed by the joint parliamentary committee (JPC). With this law, GoI has pushed the idea of data sovereignty by mandating certain class of data to be stored within Indian borders to allow law enforcement agencies investigate crimes faster. Industry bodies concerned over data protection Bill, say it 'compromises' on privacy.
The Bill also gives Indian users rights to obtain personal data, correct, erase, update and port the data from one company to another, and raise grievances. The Bill seeks to provide for protection of personal data of individuals, and establishes a Data Protection Authority for the same.
Former Supreme Court Judge, Justice BN Srikrishna, the chief architect of the draft law, has said, the final version of the bill to be sent to a select committee of Parliament for a review before it becomes law. He said that assuming the draft bill comes out as it is, there are sections which begin by saying that "no data would be collected by the government agencies but except under the authority of the parliament legislation."
Recently, there was news that Israeli spyware Pegasus was used for hacking into Facebook-owned WhatsApp for snooping on activists, lawyers and journalists across the world including India. There also have been allegations that the Indian government was using Pegasus to spy on citizens.
The proposed Personal Data Protection Bill is said to have provisions that can trigger far-reaching implications for big tech firms such as Google and Facebook that operate out of India, requiring them to re-tune their businesses. These global technology companies have been arguing that the proposals will shoot up their operating costs and in some cases, prohibit delivering some internet services.
There are certain provisions in the Personal Data Protection Bill, saying that these will impinge on privacy of Indian citizens and create challenges for businesses. Several global corporations and corporate entities who are operating in India have also raised concerns about data localisation requirements.
Data privacy does not give you the right to keep the data where you want. Data privacy gives you the right not to share it with anybody without your (users') consent. Now if there is another law which says whoever you give it to, must keep it in India under a valid law, surely you are also (bound) by that law,” said Srikrishna.
To another question about why social media giant Facebook does not have a data centre in India, despite having many of those in countries such as Singapore and the US, Srikrishna said that earlier there was no control mechanism (in India). “They thought, it was not worthwhile; you can sit in America, Singapore and carry on with it. Now the writing on the wall is very specific. They also know, there is this difficulty where the data centre has to be located. Now they are thinking about it and (as per the law) they will have it in India too.
The Bill says, the processing of personal data by: (i) government, (ii) companies incorporated in India, and (iii) foreign companies dealing with personal data of individuals in India. Personal data is data which pertains to characteristics, traits or attributes of identity, which can be used to identify an individual. The Bill categorises certain personal data as sensitive personal data. This includes financial data, biometric data, caste, religious or political beliefs, or any other category of data specified by the government, in consultation with the Authority and the concerned sectoral regulator.
The obligations of data fiduciary, a data fiduciary is an entity or individual who decides the means and purpose of processing personal data. Such processing will be subject to certain purpose, collection and storage limitations. For instance, personal data can be processed only for specific, clear and lawful purpose. Additionally, all data fiduciaries must undertake certain transparency and accountability measures such as: (i) implementing security safeguards (such as data encryption and preventing misuse of data), and (ii) instituting grievance redressal mechanisms to address complaints of individuals. They must also institute mechanisms for age verification and parental consent when processing sensitive personal data of children.
Social media intermediaries: The Bill defines these to include intermediaries which enable online interaction between users and allow for sharing of information. All such intermediaries which have users above a notified threshold, and whose actions can impact electoral democracy or public order, have certain obligations, which include providing a voluntary user verification mechanism for users in India.
Data Protection Authority: The Bill sets up a Data Protection Authority which may: (i) take steps to protect interests of individuals, (ii) prevent misuse of personal data, and (iii) ensure compliance with the Bill. It will consist of a chairperson and six members, with at least 10 years’ expertise in the field of data protection and information technology. Orders of the Authority can be appealed to an Appellate Tribunal. Appeals from the Tribunal will go to the Supreme Court.
Transfer of data outside India: Sensitive personal data may be transferred outside India for processing if explicitly consented to by the individual, and subject to certain additional conditions. However, such sensitive personal data should continue to be stored in India. Certain personal data notified as critical personal data by the government can only be processed in India.
Exemptions: The central government can exempt any of its agencies from the provisions of the Act: (i) in interest of security of state, public order, sovereignty and integrity of India and friendly relations with foreign states, and (ii) for preventing incitement to commission of any cognisable offence (i.e. arrest without warrant) relating to the above matters. Processing of personal data is also exempted from provisions of the Bill for certain other purposes such as: (i) prevention, investigation, or prosecution of any offence, or (ii) personal, domestic, or (iii) journalistic purposes. However, such processing must be for a specific, clear and lawful purpose, with certain security safeguards.
Offences under the Bill include: (i) processing or transferring personal data in violation of the Bill, punishable with a fine of Rs 15 crore or 4% of the annual turnover of the fiduciary, whichever is higher, and (ii) failure to conduct a data audit, punishable with a fine of five crore rupees or 2% of the annual turnover of the fiduciary, whichever is higher. Re-identification and processing of de-identified personal data without consent is punishable with imprisonment of up to three years, or fine, or both.The Bill amends the Information Technology Act, 2000 to delete the provisions related to compensation payable by companies for failure to protect personal data.
Industry bodies concerned over data protection Bill, IAMAI highlighted that the requirement to get a certification from the DPA in order to do business in India, would create a "restrictive Certification and Licensing regime" for organisations to operate in India.
The US-India Business Council (USIBC) said the Bill contains several new provisions outside the core issue of data privacy that raises serious concerns for the private sector, particularly the inclusion of requirements around non-personal data and social media intermediary liabilities.
These two issues are distinct from personal data issues and are complex in their own right. Given the need for additional discussion, we urge the government to remain focused on essential data privacy issues and to take up these matters as part of existing policy efforts taking place in parallel to the Bill.
The central government has the power to exempt data processors, that process personal data of data principals who are outside the territory of India. While this was included in the earlier draft of the Bill as a miscellaneous provision, this has now been included under the chapter on exemptions under the Bill, as per NASSCOM .
Other experts says , it is definitely a great law to protect the data privacy in India. However, before it get amended, there must be proper timeline to be given for the industry to comply with the law of the land. All the respective Industry bodies and media (Print/ Electronics/Digital) to create awareness in the country and get prepared, else there would be huge problem going to happen and the good thing would there won’t be any fear factor to do business in India.
See What’s Next in Tech With the Fast Forward Newsletter
Tweets From @varindiamag
Nothing to see here - yet
When they Tweet, their Tweets will show up here.
