How Personal Data Protection Bill is expected to change the way privacy is perceived and practised – The Economic Times

Clipped from:

India’s data protection law could come into effect soon as well. The Joint Parliamentary Committee (JPC) report on the Personal Data Protection Bill, 2019, has been tabled in Parliament during this winter session.

Murali Rao

Murali Rao

Murali Rao is cybersecurity leaderLalit Kalra

Lalit Kalra

Lalit Kalra is partner, data privacy, Ernst and Young (EY) IndiaPolicymakers, Big Tech, digital entrepreneurs and civil rights activists across the world are engaged in debates about data privacy. In an increasingly digital world, companies and administrations need to collect data to serve you better. Equally, there are worries that your data, thus collected, can be misused. How much to collect, how to store and protect the data, and what purposes it can be used for, continue to be some of the key issues revolving around data privacy.

The worry that data collected by technology firms could be misused, or even hacked by malicious actors, have led many countries to pass stringent laws and prescribe norms for data protection. The increasing incidences of hacking, and financial and identity fraud have only accelerated the move. The EU‘s General Data Protection Regulation (GDPR) and China’s Personal Information Protection Law (PIPL) are two notable laws that prescribe stringent norms for organisations collecting and storing personal data.

India’s data protection law could come into effect soon as well. The Joint Parliamentary Committee (JPC) report on the Personal Data Protection Bill, 2019, has been tabled in Parliament during this winter session.

So, what is personal data? It includes any information that can be used to identify an individual. The scope of ‘personal data’ includes everything from your name, address, telephone number, email address and identification documents to bank statements, telephone records, emails, text messages, employment records, appraisals and website browsing history. The current Bill is expected to change the way privacy is perceived and practised within Indian business and government departments.

The proposed law will apply to data fiduciaries or data processors in India and abroad, if they process any personal data for any business carried in India, offer goods and services to data principles (citizens) in India, or conduct any activity that involves profiling of data principals within the country.

The Bill lays emphasis on data localisation, and organisations need to identify and store ‘critical data’ in servers located in India. This is likely to increase the costs for those who currently save data in central server farms outside India. But it will also give a fillip to the domestic data centre industry. Additionally, sensitive data can be transferred outside India with explicit consent, on the basis of contracts permitted by GoI. This will need standardised privacy-oriented agreements for transfer of data and obtaining explicit consent of the data principals.

The Bill states that social media platforms can operate in India only if the parent company sets up an office in the country. The recommendations also suggest that social media companies are accountable for the content that is published on their platform and should, therefore, be addressed as ‘publishers’. The Bill also lays down clauses on certification of digital and Internet of Things (IoT) devices to regulate hardware manufacturing companies. Additionally, it introduces the concept of Privacy by Design – a framework based on proactively embedding privacy into the design and operation of IT systems, networked infrastructure and business practices.

Organisations will need to appoint a data protection officer, who will be responsible for providing information and assisting the authority to ensure compliance of the provisions.

India’s Data Protection Bill also grants a wide range of rights to its data principals. Sensitive personal data shall not be processed without the consent of the data principal at the time of commencement of its processing. The Bill also has the provision to grant compensation to data principals in case of violations.

The proposed law protects children as well, prescribing regulations for parental consent and age verification for data fiduciaries. It has introduced guardian data fiduciaries who operate commercial websites or online services directed at children, or process large volumes of personal data of children. Guardian data fiduciaries will be prohibited from profiling, tracking and behavioural monitoring or engaging in targeted advertising of children.

The Bill prescribes stringent penalties for organisations that do not follow the norms. But it also proposes a phase-wise approach of implementation of provisions with a timeframe of 24 months for organisations to make changes to their policies, processes and infrastructure. It is a bold step in strengthening India’s privacy landscape with the steep rise in consumption of digital services. The Bill also strikes a fine balance to ensure that organisations have enough time to adhere to the prescribed norms.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s