By Vikas Bhonsle
In July 2018, the Committee of Experts on Data Protection (‘the Committee’) submitted a draft of Personal Data Protection Bill, 2018 (‘the 2018 Bill’) to the Government of India. On the basis of recommendations made by the Committee and suggestions from various stakeholders, on 11 December 2019, the revised Personal Data Protection Bill, 2019 (‘the 2019 Bill’) was introduced and it finally gathered the Cabinet’s approval on December 04, 2019. Although the final form of the Bill that was presented has not been revealed to the public, the government has promised that it will be adequate and in line with the global standards of data protection. This bill aims to protect the privacy of individuals with respect to their personal data and governs the relationship between individuals and entities processing their personal data. It simultaneously strives to create a robust digital economy by ensuring innovation through digital governance.
What does it mean for individuals?
Up until now, privacy laws in India offer little protection against the misuse of your personal information. The transfer of personal data is governed by the Sensitive Personal Data and information, 2011, which has increasingly proved to be inadequate. To empower data principals (individuals) and provide them with more control over their own data, the bill has listed out a host of rights – ‘right to confirmation and access’, ‘right to correction’, ‘right to data portability’ and ‘right to be forgotten’ as individuals fundamental right. Unless they have given explicit consent, their personal data cannot be shared or processed. Out of all these, basic rights such as the right to seek confirmation, access and rectification are exempt from any fees, thereby promoting transparency.
What does it mean to companies?
The proposed law may have a considerable impact on companies operating in India, whether with or without a physical presence, due to its data localisation requirements and cross-border data transfer restrictions. Data localization is a polarizing concept. While some of the companies are against it, others have spoken up to support it. For ISPs the draft may bring changes as it suggests enforcing certain mandatory provisions that have a significant effect on business models, financial implications and modus operandi. One bad news for companies is that the bill’s penalties are also inspired by its European cousin – the GDPR. Some violations come with a maximum penalty of either Rs 5 crore or to two per cent of the global turnover of a company in the previous year (whichever is higher). For other violations, such as non-compliance with the PDPB’s cross-border transfer provisions and consent and grounds of processing, penalties extend to Rs 15 crore or four per cent of the global turnover in the previous financial year (whichever is higher).
The proposed Data Protection Bill (PDP) is a welcoming step and it certainly puts the ownership of data in the hands of individuals while taking care not to throttle businesses and innovation. It introduces an interesting mixture of data privacy rights and obligations already familiar (mainly from the GDPR) and comes forth with new, unique requirements. Most of the measures required to comply with the proposed policy can be handled through technology, while few points may need a reconsideration of some recommendations before finalizing the bill. It is time for us and to follow leads like GDPR and set an example to the rest of the world on how a good policy can bring the whole nation together to protect the rights of everyone.
(The author is the CEO of Crayon Software Experts)