India’s Data Protection Bill – What to expect and What will Change
Concerns around privacy and the individual’s right to protect privacy have been a topic of intense debate recently. Societies the world over, are trying to balance the need to protect the individual with the need to protect society overall. In one case, the individual’s rights have to be placed on a higher plane whereas in the other case, an investigative or a regulatory body’s need to gain access to an individual’s information is paramount.
As this tug-of-war continues, governments everywhere are trying to come up with laws and regulations to bound this problem in a scientific way and prescribe rules and guidelines for businesses to follow.
The European Union’s attempt to do this via The General Data Protection Regulation (or the GDPR) has been the most far reaching until now. From that perspective, GDPR is arguably the single most significant regulation in history. It replaced a patchwork of EU national rules with a single regulatory framework with global reach and strict penalties for those who fail to comply. In fact, so comprehensive is the regulation, that several other countries are using it as a blueprint to design their own privacy laws.
The Union Cabinet of India recently approved the Data Protection Bill and is modeled quite closely on the GDPR. While it might take some time for the bill to come into full effect, here are a few things your organization must know about the Data Protection Bill.
Every bill contains specific jargon which could be difficult to remember or understand. Here are some important terms to remember for this bill –
- Data principal: A person whose data is being stored and processed. This is a Citizen in GDPR terms.
- Data fiduciaries: Entities that collect and handle data. This would typically be businesses/organizations. GDPR terms them Data Controllers.
- Data Processors: Entities that process the data that fiduciaries collect. Could be cloud providers, SaaS application providers. GDPR also refers to these as Data Processors.
Types of Data:
The bill details three categories of data. As far as I know, GDPR doesn’t distinguish any further than data that is private vs not.
- Personal data: Any kind of data that could be personally identifiable of a person.
- Sensitive data: Data that reveals financial, health, sexual orientation, biometric, genetic, transgender status, caste, religious belief of a person is sensitive data
- Critical data: Data related to military, intelligence or national security
Processing of Data:
After initial resistance against having all the collected data to be processed in India, the bill was amended to include these changes –
- Consent of individuals required for transferring data outside of India.
- Sensitive data should be stored only in India with an override allowed under certain circumstances that requires an approval by the Data Protection Agency.
- Critical personal data must be stored and processed only in India.
- A “serving copy” needs to be maintained for all personal data. The bill specifically says, “Every data fiduciary shall ensure the storage, on a server or data centre located in India, of at least one serving copy of personal data to which this Act applies.” This is nothing but a backup. The act enforces data fiduciaries to keep one copy of all personal data on a server or data center located in India.
Data that is processed needs to be maintained in an anonymized form which ensures that even when accessed, it does not reveal the identify of an individual or compromise their privacy in any way. Specifically, the bill specifies: (a) use of methods such as de-identification and encryption; (b) steps necessary to protect the integrity of personal data; and (c) steps necessary to prevent misuse, unauthorised access to, modification, disclosure or destruction of personal data.
So, not only is encryption a critical part of the data processing action, it is important to also couple it with a strict segregation of duties – to ensure no unauthorized access, modification, or disclosure.
- According to the Data Protection Bill, an organization could be penalized up to ₹5 crore or up to 2% of its worldwide turnover, whichever is higher.
- The penalty may also include imprisonment
The bill has come down hard on social media companies. In an attempt to prevent trolling from people masked behind fake accounts, the bill requires social media companies to develop their own user verification mechanism
Just as in the case of GDPR, the bill requires explicit consent from data principals for their information to be used by the data fiduciaries.
Right to be forgotten
This is an important element in GDPR which got quite a bit of attention and press. The initial draft of the Data Protection Bill seemed non-committal about providing citizens with the ‘right to be forgotten’, but that seems to have changed in the final version which includes the data principal’s right to be forgotten just like in the case of GDPR.
Overall, the Data Protection Bill has started a much-needed conversation in India about how personal data is being collected, in what context, and how it is stored. At Parablu, we develop data management solutions which help businesses stay regulatorily compliant. We’ve helped several customers achieve SOX and GDPR compliance. Please write to us with questions, opinions, or simply to learn more about our products and how we can help you. Drop us a line at firstname.lastname@example.org. We’d love to hear from you.