India working on a new data protection framework

Posted: 31st July 2018 by Shashank Venkat
Tags: Data Protection Bill, Data Protection Framework, GDPR, India
Categories: Regulation & Compliance

India working on a new data protection framework

Following Europe and Australia’s lead, India is also now preparing its own data protection framework. What will this regulation entail? Shashank Venkat presents the details

As data becomes the most valuable resource in the world, it is quite natural that lawmakers across the globe are looking at the best ways to regulate and manage data from a privacy and ownership standpoint. Europe led the way with the General Data Protection Regulation which came into force on 25th May, and Australia is following suit with the Consumer Data Right legislation which is due to be implemented soon. Now, India is mulling its own data protection framework with a designated panel, headed by Justice BN Srikrishna, submitting a report to the government with suggestions for a data protection law.


The Personal Data Protection Bill, 2018

India’s draft personal data protection bill mirrors GDPR in some areas, while other aspects are set within an Indian context. The bill has introduced concepts known as ‘data principal’ and ‘data fiduciary’. Data principal (similar to data subject in GDPR) is the person to which the data relates, and data fiduciary (similar to data controller in GDPR) is any person, company or entity determining the purpose and means of processing this data. Data processors (same as GDPR) are those entities which process personal data on behalf of data fiduciaries. The data fiduciary will also appoint a data protection officer for helping with compliance under the Act. In addition, the bill also proposes the establishment and incorporation of an independent Data Protection Authority of India that will be in charge of enforcing this framework.

Some of the key provisions include:
  • The law will have jurisdiction over any personal data which is processed or used in any form in India.
  • Personal data means data about or relating to a natural person who is directly or indirectly identifiable.
  • Private and public entities will both be covered by this legislation.
  • Personal data will be processed on the basis of ‘consent’ from the data principal.
  • Processing of sensitive personal data (passwords, financial data, sexual orientation, etc) should be based on ‘explicit consent’.
  • The data principal will have the right to access, correct and confirm personal data, as well as having the right to be forgotten (data erasure). They will also be able to take their data elsewhere using the right to data portability.
  • The data fiduciary will have to inform the data principal about the purpose for which their personal data will be processed, the category of personal data collected and the period for which personal data will be collected, among other responsibilities.
  • Data fiduciaries will have to store at least one copy of all personal data in India. Critical personal data can only be processed in India.
For all the details and other provisions, read this document here.

Notably, India’s Personal Data Protection Bill is less harsh than GDPR when it comes to fines and penalties for non-compliance. The draft bill recommends penalties of up to Rs 15 crore or 4% of the total worldwide turnover (whichever is higher) for violation of provisions. GDPR, on the other hand, has fines up to 20 million Euros (Rs 133 crore) or 4% of worldwide turnover.


Lukewarm reception to the bill

Just like any new legislation, this bill has its fair share of supporters and critics alike. While the proposed laws are a good step forward for filling the gap that exists in privacy and personal data management, the right for data localisation which mandates that some international businesses must set up servers or data centres in India has received some flak. Experts argue that restricting the free flow of data cross-borders may become a trade barrier and impact India’s flourishing IT sector.

In addition, some criticism has also stemmed from the fact that the State is exempted from some obligations – the bill allows processing necessary for functioning of the state and central government. Moreover, processing of personal data for prevention of offence and contravention of law is also allowed.


Our Take

Any legislation which deals with such sensitive data will always be subject to criticism, but we think that this is a good first step for India. Data protection laws across the globe are still nascent and we will see them evolve with time, and the Committee itself has said that it may be necessary to fine-tune the law. The draft legislation may well see further changes as India’s IT minister Ravi Shankar Prasad has promised wide-ranging consultations and discussion in parliament before it becomes enshrined in law.

As far as businesses with customers in India are concerned (and that includes big businesses like Facebook and Google), it seems sensible to learn from the impact of GDPR and take proactive steps in readiness for the new law. With data becoming an increasingly valuable commodity, more citizens around the world understand the power of their individual data, and companies would do well to be transparent and process data in a fair manner. Personal data has been exploited for far too long and it is time for course correction!


Image credit: Flickr

0 comments

Categories: Regulation & Compliance

Tags: Data Protection Bill, Data Protection Framework, GDPR, India

Categories

5G (37)
Blockchain (13)
Cerillion (55)
Cloud (69)
Digital Transformation (149)
E-commerce (42)
Internet of Things (28)
Media & Publishing (59)
Regulation & Compliance (51)
Subscriptions (304)
Telecoms-BSS (266)

Tags

Netflix Amazon Apple Spotify SVOD Amazon Prime BSSOSS Facebook Google 5G subscription billing billing COVID-19 MWC IoT

Recent posts

DTW Asia 2023: on the future of digital transformation in Asia and beyond

Cerillion Product Forum – March 2023

Interview: Amit McCann on smart city BSS project in Egypt

What will the 3G switch-off mean for customers and telcos?

MWC 2023: A mixed bag of innovation and hype

RSS Feeds

Archive

March 2023(5)
February 2023(3)
January 2023(2)
December 2022(2)
November 2022(3)
October 2022(5)
September 2022(4)
August 2022(2)
July 2022(3)
June 2022(6)
May 2022(4)
April 2022(3)
March 2022(5)
February 2022(3)
January 2022(4)
December 2021(2)
November 2021(4)
October 2021(5)
September 2021(4)
August 2021(3)
July 2021(4)
June 2021(4)
May 2021(4)
April 2021(4)
March 2021(4)
February 2021(4)
January 2021(3)
December 2020(2)
November 2020(4)
October 2020(4)
September 2020(3)
August 2020(3)
July 2020(2)
June 2020(3)
May 2020(3)
April 2020(5)
March 2020(6)
February 2020(5)
January 2020(2)
December 2019(1)
November 2019(4)
October 2019(2)
September 2019(2)
August 2019(2)
July 2019(4)
June 2019(2)
May 2019(1)
April 2019(1)
March 2019(3)
February 2019(2)
January 2019(0)
December 2018(1)
November 2018(3)
October 2018(4)
September 2018(3)
August 2018(1)
July 2018(2)
June 2018(0)
May 2018(1)
April 2018(2)
March 2018(2)
February 2018(4)
January 2018(4)
2017(9)
2012(3)
2010(1)