India’s Data Protection Law a step closer
India’s data protection law is a step closer to being enacted after Union IT Minister Ravi Shankar Prasad introduced the Personal Data Protection (PDP) Bill, 2019, in Parliament on December 11.
The Bill begins on a promising note: “The provisions of this Act,” reads the bill, “shall apply to the processing of personal data by the State, any Indian company, any citizen of India” and goes on to list rules that empower individuals to take control of their information. It provides a framework for protecting individuals’ privacy, the ways in which their data can be processed with consent, and the obligations of the processing individuals and organisations. The Bill articulates exemptions such as national security, under which even sensitive data of individuals can be processed without their express permission; it also sets the guidelines about which data needs to strictly remain, and be processed, within India, and what can be processed overseas.
A Data Protection Authority will be set up to oversee the implementation of the law.
Currently, there are no laws on the use of personal data and preventing its misuse, although the Supreme Court upheld the right to privacy as a fundamental right in 2017. The PDP Bill substantially modifies the draft of the Committee and introduces new constructs such as consent managers and social media intermediaries and confers greater powers on the Data Protection Authority (DPA) and the Central Government.
The Bill, cleared by the Cabinet, has raised several concerns. The Internet and Mobile Association of India (IAMAI) feels that the suggested provisions in the data protection bill raises serious concerns, as some of the rules can be restrictive for service providers and enterprises and may not be inclined towards India’s target of a $1tn digital economy by 2024. The body also claimed that it would isolate India in the global economy as service providers who do not get certification approval from DPA will not be able to offer their services in the country.
Many issues that were raised when GDPR was implemented remain relevant for India. A lot will depend on how policies will be enforced and if that will help large companies take further edge over smaller firms. Providing adequate support to organisations to comply with the new rules will be crucial. They need to understand the meaning of informed consent and translate legal specifications into technical implementation.
The data protection bill is not yet final. It has been referred to a joint select committee of both Houses of Parliament to review. They are expected to submit their report before the end of the forthcoming budget session. If the country’s parliamentarians genuinely want to protect the data and privacy of citizens, they must deliberate on the shortcomings of this bill. Crucially, if they want to empower individuals, they need to cede some of their own powers.
We, at the UKIBC, having been working with businesses and voicing their concerns with the relevant stakeholders in India. We have been advocating that:
- There needs to be a simple regime for the cross-border transfers of business and non-personal data to ensure innovation, more collaboration and trade.
- The regulator should publish clear definitions of the ‘three buckets- critical personal data, sensitive personal data and general personal data’.
- Appointments to and from the Board should be recommended by a truly independent committee without Government influence – and should be based on expertise in the area.
- The draft Personal Data Protection Bill does not provide enough time for implementation of the requirements; leaving only 6 months for data fiduciaries and data processors to implement changes required by these codes of practice. This should be looked at and increased reasonably to a minimum of 24-month implementation period after legislation passes into force (like in the case of the EU GDPR).
For more information on the Personal Data Protection (PDP) Bill and its impact on businesses, the UKIBC will be hosting a webinar in mid-January 2020. If you are interested in attending email firstname.lastname@example.org and we will contact you with more details closer to the event.
For more information on our initiatives within the sector please contact Meghna Misra-Elder, Associate Director at email@example.com