India working on a new data protection framework

India working on a new data protection framework

Following Europe and Australia’s lead, India is also now preparing its own data protection framework. What will this regulation entail? Shashank Venkat presents the details

As data becomes the most valuable resource in the world, it is quite natural that lawmakers across the globe are looking at the best ways to regulate and manage data from a privacy and ownership standpoint. Europe led the way with the General Data Protection Regulation which came into force on 25th May, and Australia is following suit with the Consumer Data Right legislation which is due to be implemented soon. Now, India is mulling its own data protection framework with a designated panel, headed by Justice BN Srikrishna, submitting a report to the government with suggestions for a data protection law.

The Personal Data Protection Bill, 2018

India’s draft personal data protection bill mirrors GDPR in some areas, while other aspects are set within an Indian context. The bill has introduced concepts known as ‘data principal’ and ‘data fiduciary’. Data principal (similar to data subject in GDPR) is the person to which the data relates, and data fiduciary (similar to data controller in GDPR) is any person, company or entity determining the purpose and means of processing this data. Data processors (same as GDPR) are those entities which process personal data on behalf of data fiduciaries. The data fiduciary will also appoint a data protection officer for helping with compliance under the Act. In addition, the bill also proposes the establishment and incorporation of an independent Data Protection Authority of India that will be in charge of enforcing this framework.

Some of the key provisions include:
  • The law will have jurisdiction over any personal data which is processed or used in any form in India.
  • Personal data means data about or relating to a natural person who is directly or indirectly identifiable.
  • Private and public entities will both be covered by this legislation.
  • Personal data will be processed on the basis of ‘consent’ from the data principal.
  • Processing of sensitive personal data (passwords, financial data, sexual orientation, etc) should be based on ‘explicit consent’.
  • The data principal will have the right to access, correct and confirm personal data, as well as having the right to be forgotten (data erasure). They will also be able to take their data elsewhere using the right to data portability.
  • The data fiduciary will have to inform the data principal about the purpose for which their personal data will be processed, the category of personal data collected and the period for which personal data will be collected, among other responsibilities.
  • Data fiduciaries will have to store at least one copy of all personal data in India. Critical personal data can only be processed in India.
For all the details and other provisions, read this document here.

Notably, India’s Personal Data Protection Bill is less harsh than GDPR when it comes to fines and penalties for non-compliance. The draft bill recommends penalties of up to Rs 15 crore or 4% of the total worldwide turnover (whichever is higher) for violation of provisions. GDPR, on the other hand, has fines up to 20 million Euros (Rs 133 crore) or 4% of worldwide turnover.

Lukewarm reception to the bill

Just like any new legislation, this bill has its fair share of supporters and critics alike. While the proposed laws are a good step forward for filling the gap that exists in privacy and personal data management, the right for data localisation which mandates that some international businesses must set up servers or data centres in India has received some flak. Experts argue that restricting the free flow of data cross-borders may become a trade barrier and impact India’s flourishing IT sector.

In addition, some criticism has also stemmed from the fact that the State is exempted from some obligations – the bill allows processing necessary for functioning of the state and central government. Moreover, processing of personal data for prevention of offence and contravention of law is also allowed.

Our Take

Any legislation which deals with such sensitive data will always be subject to criticism, but we think that this is a good first step for India. Data protection laws across the globe are still nascent and we will see them evolve with time, and the Committee itself has said that it may be necessary to fine-tune the law. The draft legislation may well see further changes as India’s IT minister Ravi Shankar Prasad has promised wide-ranging consultations and discussion in parliament before it becomes enshrined in law.

As far as businesses with customers in India are concerned (and that includes big businesses like Facebook and Google), it seems sensible to learn from the impact of GDPR and take proactive steps in readiness for the new law. With data becoming an increasingly valuable commodity, more citizens around the world understand the power of their individual data, and companies would do well to be transparent and process data in a fair manner. Personal data has been exploited for far too long and it is time for course correction!

Image credit: Flickr