Personal Data Protection Bill a Step in The Right Direction
Personal Data Protection Bill a Step in The Right Direction
An exclusive story capturing the regulation's laudable provisions, a constructive analysis, and insightful suggestions from experts and luminaries.
Ideally, a regulation that deals with the privacy of individuals should take effect only after there is enough awareness, and understanding created about it else it could lead to avoidable consequences. However, given the rapid external developments where personal data may be at higher risk of being compromised, the need of the hour is having a workable regulation in place
Dev Bajpai Opines that
Privacy was declared a Fundamental Right by a nine-Judge Constitutional Bench of the Hon'ble Supreme Court in the matter of K.S. Puttaswami & others versus the Union of India. The Apex Court had also impressed upon the Central Government to bring into existence a robust data protection regime. The Government now proposes to enact a legislation – The Personal Data Protection Bill, 2019 (the Bill) which has been referred to a Joint Parliamentary Committee. Amongst other objects of the Bill, protection of the privacy of individuals relating to their personal data, creating a relationship of trust between persons processing personal data are significant objectives. It is reported that the Committee has had detailed deliberations with stakeholders, examined all representations, and proposed 89 amendments to the Bill that has 98 clauses.
THE BILL MARKS A HISTORICAL MOMENT IN THE OFFING
To have a legislation that addresses how to deal with personal data and the privacy of data subjects is a welcome step. The Government needs to be complimented for bringing this Bill swiftly after wide-ranging consultation post the Report submitted by the Committee of Experts on Data Protection chaired by Mr. Justice B.N. Srikrishna. Personal Data & Privacy are important subjects. Respect for one's personal information processed and stored by another should receive the importance it deserves.
Data is a national asset and should be harnessed and utilized for the benefit of the communities. Personal Data as compared to Non-Personal Data is no different. In fact, personal data needs to be dealt with a higher degree of care & sensitivity. It should be used for the benefit of both the community and the person sharing such data. The law should, therefore, aim to create a relationship of trust between the person who shares personal data and the person who collects and processes such data referred to in the Bill as the Data Fiduciary. This relationship of trust casts certain obligations on the Data Fiduciary to deal with the personal data in a responsible manner recognizing the rights of the person who shares personal data referred to as the Data Principal in the Bill.
THE DEFINITION OF PERSONAL DATA COULD BE SIMPLIFIED
The proposed regulation offers several opportunities for simplification commencing with the definition of Personal Data itself. The Bill within the definition of Personal Data includes "any inference drawn from such data for the purpose of profiling." That means that any inferences or attributes that are drawn by virtue of processing of personal data of the data subject in terms of the choices that data subjects make, products that they may buy, their spending habits, lifestyle choices that they make and so on and so forth will be also be considered Personal Data. Such data if asked for by the Data Principal or the Regulator, will have to be provided. There is a need to simplify this by deleting the inclusion made in the definition. The Data Fiduciary makes the inference through proprietary tools and algorithms deployed to secure information to serve the consumer better. These inferences should not be within the purview of Personal data.
THE DEFINITION OF CHILD COULD BE RECONSIDERED
Dev Bajpai notes that the definition of Child is pegged at someone who has not completed 18. The data fiduciary has an obligation to verify the child's age and obtain the consent of the parent or natural guardian before processing any personal data of the Child. This age of 18 should be reconsidered to either 13 or 14 as is the case in many advanced jurisdictions. Today, children in their early teens have access to social media accounts and share personal data. They are empowered to make decisions on its processing from a much younger age. Also, casting additional obligations on the data fiduciary on this account should not be insisted. There is no need for the regulator to specify regulations if the age limit is reduced to 13 or 14. By imposing additional obligations on the data fiduciary, they would end up collecting more Personal Data of the parent/guardian that goes against the principle of data minimization.
THE PROVISIONS CONCERNING CONSENT COULD BE STREAMLINED
The Bill places heavy reliance on securing Consent as a primary ground for processing personal data. While the Bill provides for "reasonable purposes" to be specified by regulation after considering a set of factors for permitting the processing of personal data without consent. In the case of GDPR, such processing is permitted in "legitimate interest". Here the legitimate interest can be determined by the data fiduciary unlike in the Bill, where the regulator determines reasonable purposes keeping into account the considerations mentioned in the Bill. The more we make our law subject to delegated legislation, we may end up perpetuating the sharing and collecting of more personal data.
THE DATA PRINCIPAL'S RIGHTS COULD BE RATIONALIZED AND RESPONSIBILITIES BE BALANCED
The Data Principal has certain rights some of which emanate from the judgment of the Apex Court. These include the Right to Confirmation and Access, Right to Correction and Erasure, Right to Data Portability and Right to be Forgotten. These rights are welcome. Dev Bajpai suggests that the Bill has scope for simplification in the exercise of some of these rights. For instance, the provisions on data correction and erasure can be simplified. The data is supplied by the data principal and this party has every right to have it corrected, completed, updated, or erased. The data fiduciary may not agree to let the data principal exercise this right only if it is sought to be exercised in a mala fide manner. Similarly, in the case of the Right to be Forgotten, the Bill presently provides that this right can only be enforced upon an order passed by the Adjudicating Officer on a reference made by the data principal. There is scope to simplify this aspect. It is an issue between data principal and fiduciary. Best that it can be resolved by them when a bona fide request is made by the principal. The ethos and spirit behind collecting, processing, and storing personal data are to maintain its sanctity by using it for the purpose for which it is collected and demonstrating to the data subject that his/her rights are protected by not sharing it with any third party unless the circumstances warrant necessary sharing to preserve its sanctity. That should be the underlying principle of any data protection regime. The right to be left alone has to be respected.
The data fiduciary has several responsibilities under the Bill and rightfully so. However, these responsibilities have to be balanced and proportionate to the role of the data fiduciary. The data fiduciary should not be held responsible for the acts & omission of independent third-party data processors that process the data on its behalf. The data fiduciary should be tasked with educating, conduct due diligence, building capacity insofar as data processors are concerned before entrusting any personal data to processors. However, having done that, they cannot be held responsible for the actions of processors on their behalf.
The other area for simplification and rationalization is how one has to deal with Data Subject Access Requests. It can lead to avoidable work at the end of the Data Fiduciary and the possibility of misuse cannot be ruled out on account of frequent & frivolous requests. There should be a token fee prescribed for confirmation and access requests.
THE CLASSIFICATION AS A SIGNIFICANT DATA FIDUCIARY AND CATEGORY OF CRITICAL PERSONAL DATA NEEDS CLARITY
The classification as a Significant Data Fiduciary should only be done basis the sensitivity of data processed and not the basis turnover of the data fiduciary or volume of data processed.
Classification of data into personal data & sensitive personal data is adequate. Creating another category of Critical Personal Data without specifying what it will comprise of ends up creating uncertainties. Authorities have in any case the power to notify certain classes of data as sensitive, so it does not make much meaning having a third category of personal data. This should be streamlined into two categories only.
THE PROPOSED PROVISIONS ON PENALTIES NEED TO BE RELOOKED
Dev Bajpai opines that the proposed provisions on penalties need to be relooked. They have to be proportionate to the breach committed and the harm caused. This law, therefore, requires a mindset change. As a society, we are used to collecting and storing data for inordinately long periods of time. There is also low sensitivity to personal data that gets collected. All this will require change which is going to take some time.
THERE IS A NEED TO GENERATE ENOUGH AWARENESS AND BUILD CAPACITY TO EMBRACE THIS BILL
Further, when this proposed law is enacted, its implications should be cascaded across institutions, organizations, citizenry, authorities, NGOs so that there is enough awareness built and capacity developed to embrace this important piece of legislation. Ideally, a regulation that deals with the privacy of individuals should take effect only after there are enough awareness and understanding created about it otherwise it could lead to avoidable consequences. However, given the rapid external developments where the personal data is at a higher risk of being compromised, the need of the hour is to have a workable regulation in place.
THE REQUIREMENT OF ANONYMIZING ALL DATA COULD PROVE TO BE ONEROUS
agrees with Dev Bajpai's view
that the ambit of data that would get regulated under the Bill as Personal Data is much wider than the European Union's General Data Protection Regulation (GDPR). That will put an onerous obligation on companies to identify all categories of Personal Data processed by them to ensure compliance. Further, the Government can direct the data fiduciary or a data processor to provide any personal data anonymized or other non-personal data. Rajeev Chopra cautions it could potentially compromise organizations' client data, which is being processed by an Indian service provider in its capacity as a 'data processor'. This provision gives the government the prerogative to access business intelligence and intellectual property of companies for its own planning and development purposes. This needs more deliberation.
Even the requirement of anonymizing all data could potentially prove to be onerous increasing the complexity of organizations' data management systems and the subsequent need for increased security measures regarding non-personal data. Rajeev Chopra recommends that the performance of a contract and legitimate interest be included as a ground for processing personal data to reduce the burden on data fiduciaries. Additionally, 'reasonable purposes' should not just be limited to the list provided under the Bill and should be entrusted to the data fiduciaries to self-assess. Rather than have a Data Protection Authority (DPA) laying down regulations, data fiduciaries must be empowered to determine the purposes for data processing.
LOCALIZATION REQUIREMENTS CAN BE MADE CLEARER
Say if an international company that uses an Indian data processor for processing personal data of non-Indian citizens is asked to keep a local copy of personal data in India. That could potentially breach other data privacy laws such as the principles of data minimization.
THE BILL SHOULD IDEALLY BE CONFINED TO CIVIL PENALTIES.
In tune with Dev Bajpai's concern that the proposed provisions on penalties need to be relooked, Rajeev Chopra states that criminal liability and imprisonment are excessive penalties. They should be regulated in criminal codes and for violations of the law such as cybercrime or fraud. The Bill should ideally be confined to civil penalties.
THE ADDITION OF 2 NEW RIGHTS DATA PRINCIPAL IS WELCOME
B. Murli, General Counsel & Company Secretary and Dhwani Rao, Head Legal Counsel- IP, Digital and HR Legal at Nestle
welcome the addition of 2 new rights:
The right to access in one place the identities of all data fiduciaries with whom their data has been shared, and a right to the erasure of personal data on request.
THERE IS A SCOPE FOR EXCEPTIONS WHEN THE 2 NEW RIGHTS CANNOT BE CONFERRED
The Bill could have a scope of exceptions when such rights cannot be conferred by Data Fiduciary to avoid disproportionate efforts and purpose by delivering these rights akin to European law. In some situations, Data Fiduciary could be allowed to refuse or put a condition to release information if:
(a) release of information would adversely affect the rights of others including intellectual property rights or trade secrets. E.g., if release of the logic of automated decision-making would involve release of intellectual property;
(b) If Data Fiduciary holds a large quantity of data about a data subject, it can ask the data subject to specify the information or processing activities to which the request relates; or
(c) the request is made for purposes other than data protection purposes, then it could be rejected.
Each of these exemptions requires an assessment that can be accordingly communicated to the Data Principal.
THE REQUIREMENT TO SUBMIT 'A PRIVACY BY DESIGN POLICY' TO THE DPA FOR CERTIFICATION NEED STIPULATIONS
THE SHIFT FROM REASONABLE TO 'NECESSARY STANDARDS' WILL BENEFIT FROM CLARIFICATION
Making many process controls on encryption, de-identification, preventing misuse, ensuring accuracy, and anonymization. It would be helpful if it's clarified that necessary standards will have to be read above 'reasonable' standard measures laid down in the IT Act. That would increase technical, safety, and security compliance which is yet to be defined. If not, this could impact data audit standards to be complied by the data fiduciaries internally and externally.
POLICIES FOR DIGITAL ECONOMY CAN BE MATCHED WITH STEADFAST DISCUSSION ON 'NON-PERSONAL DATA FRAMEWORK' BEING MADE VOLUNTARY
Under the PDP Bill, 2019, the Central Government has been empowered to frame any policy for the digital economy that does not govern personal data. Further, the Central Government in consultation with the DPA may direct any data fiduciary or processor to provide any anonymized personal data or other non-personal data to enable targeted delivery of services or formulation of evidence-based policy.
B. Murli and Dhwani opine that this move can be matched with steadfast discussion on 'Non-Personal Data Framework' being made voluntary. The intent of insertion of such must ensure adaptation of 'Non-Personal Data Framework' discussions and conformity instead of varied exposure and concerns it may have for Data Fiduciaries.
PROHIBITIONS ON PROCESSING BIOMETRIC DATA NEEDS FURTHER DELIBERATION
The Bill prohibits Data fiduciaries from processing biometric data that has been notified by the Central Government unless such processing is permitted by law. Biometric is an important element of digital business. Publication of draft notification with reasonable time for comments would provide an opportunity to represent if it involves sudden breakage of activity or impact on business.
PROVISIONS ON DATA LOCALISATION / CROSS BORDER TRANSFER OF DATA AS AGAINST WHAT WAS PROVIDED IN THE 2018 BILL ARE LAUDABLE
The requirement to store one copy of all personal data in India has been dispensed with. Sensitive personal data may be transferred outside India for processing but will need to be stored in India. Cross-border transfer of such data may be made only with the explicit consent of the data principal and when one of the three additional grounds specified in the Bill are fulfilled.
Critical personal data, as notified by the Central Government, is subject to hard localization, and may be processed only in India. Currently, there are no guidelines for the kind of data to be considered critical and it is hoped that in due course the guidelines will be issued.
Critical personal data may be transferred out of India only when such transfer is: (a) to a person or entity engaged in the provision of health services or emergency services or when such transfer is necessary for "prompt action." (b) on the basis of adequacy determination of a specific country or international organization or class of entities.
Such initiative has relaxed the industry's additional measures that were otherwise required to mirror all sensitive data that could include- payment data, finance data, salaries of employees, payments to vendors etc., attendance biometric data, laptop biometric data that are otherwise stored in Common Group servers and Data centres that are operated outside of India for many multinationals.
THE BILL SUBSTANTIALLY WATERS DOWN INDIA'S POSITION ON DATA LOCALIZATION WHICH NEEDS CAREFUL CONSIDERATION
internationally renowned expert authority
cautions that the Bill represents a U-turn on the Indian approach to data localization. The gains that the Reserve Bank of India have achieved for Indians on Indian banking data being located within India, would receive a significant setback with the Bill. The Bill appears to have significantly ignored the need to come up with provisions that could reiterate and strengthen India's data sovereignty.
Further, the ambit of the Bill is only limited to the protection of personal information. It excludes non personal information and general information from its ambit.
Yes, the Bill is India's first foray in the area of data protection. That assumes significance in a country where data protection was never given the kind of importance it deserves. However, while the Bill has been substantially inspired by EU's GDPR, the Bill seeks to add elements in the Indian legal ecosystem which were previously not in existence. History proves that a culture of adopting a mere cut-and-paste approach is not a successful strategy in the Indian context. With potential intrinsic conflicts between the mother legislation being Indian Information Technology Act, 2000 and the Bill, Pavan Duggal opines that there is a need for a lot of homework to be done.
INDIA NEEDS TO VIEW THE BILL AS AN EFFECTIVE VEHICLE TO PROTECT AND PRESERVE DATA'S CYBERSECURITY
Pavan Duggal argues that India needs to view the Bill as an effective vehicle to protect and preserve data's cybersecurity. That assumes more significance as India does not have a dedicated law on cybersecurity. The Bill loses sight of the principle that no data protection law is complete without adequate attention to cybersecurity and lacks a futuristic mindset.
Further, with COVID-19 and the subsequent transmigration to Work from Home, the ground realities have completely changed. They need to be incorporated in the Bill.
In the context of data repositories and intermediaries, there is a need to define detailed parameters of due diligence.
IT WILL SERVE INDIA BEST NOT TO ACT IN A HURRY ON PASSING THE BILL
India needs to bring not just deterrence but also send a strong message to the global community that India will do what it takes to ensure data protection and protection of both data and personal privacy in the electronic ecosystem. It will serve India best not to act in a hurry.
Dev Bajpai had also opined that a regulation dealing with the privacy of individuals should take effect only after there is awareness and understanding around it. On a similar note, Pavan Duggal makes a case that the very passing of the Bill without adequate consultations with stakeholders and experts, may lead to more challenges than gains in the coming times.
also expresses concern that
there is still much confusion on the actual enactment and implementation of the final form of the Bill.
THE DISCRETIONARY POWERS TO THE EXECUTIVE BRANCH OF THE GOVERNMENT NEEDS GUIDELINES
Besides, having a regulatory sandbox in place as proposed may be the need of the hour keeping in mind the growing need of the digital economy, however, Salman Waris cautions that an individual's fundamental right to privacy stands a high chance of being jeopardized because the Bill provides the government with unregulated powers to exempt its agencies from the provisions of the Bill for certain circumstances. Discretionary powers to the executive must be accompanied by clear guidelines for exercising such powers.
He also draws attention to Section 3(2) of the Bill that defines anonymized data. Waris opines that irreversible anonymization is impossible. In the absence of provisions prescribing standards for anonymization and penalties for breach, the State's right to access anonymized personal data is an invasion of the right to privacy over personal data. The Bill increases State power to surveillance without creating adequate checks and balances. That is a big concern.
Anubhav Kapoor, Group Vice President - Legal & Group Company Secretary, Cummins India
makes pertinent overcharging observations including specific observations on the Gopalakrishnan Committee's latest Report.
INDIA COULD BECOME THE FIRST COUNTRY TO PUT IN PLACE A COMPREHENSIVE FRAMEWORK FOR NON-PERSONAL DATA.
He sets content that India is the second-most populous country in the world and has the second highest number of smartphone users in the world. Thus India can be projected as one of the top consumer markets, and by extension data markets in the world in the foreseeable future. The Bill therefore is a single national-level regulation in India to establish rights over non-personal data collected and created in India. With such a regulation, India could possibly become the first country to put in place a comprehensive framework for non-personal data in place.
THE BILL ONCE IMPLEMENTED COULD POTENTIALLY REALIZE ECONOMIC VALUE FROM THE USE OF NON-PERSONAL DATA.
Anubhav Kapoor sees huge promise in the Bill to realize economic value from the use of non-personal data and generate economic benefits for citizens and communities in India and unlock the potential value of data by creating incentives for innovation and new products/services and business opportunities in India.
The Gopalakrishnan Committee i.e. the Committee of Experts Non-Personal Data (Community Data) released a draft version of its report on 12 July 2020 and public feedback/suggestions were sought by 13th September 2020. The Committee received over 1500 pieces of feedback from the public/organizations. Based on the public feedback, the Committee has revised its earlier report and a revised draft report has now been published and open for public feedback until January 31, 2021.
THE NEW CLASSIFICATION OF A BUSINESS CALLED 'DATA BUSINESS' NEED TO BE REGULATED.
Depending on what an organization is into, it could realize the value of its data either through direct monetization or internal value realization or through mergers and acquisitions. There are several approaches developed to measure the value of data and this is an evolving field.
Some examples of data-based businesses include social media, search, map-based services, online retail, ride-hailing platforms, digital healthcare, credit rating, etc. Google, Facebook, Amazon and the like use data and user-generated content that they collect and analyze with AI to make better decisions for businesses and organizations. Our society experiences such data-enabled services in the form of platforms like Google Maps, Uber, Amazon, etc. The recent controversy over the change of privacy terms by WhatsApp is an example of the increased sensitivity of the users of social platforms on the use of their data.
Anubhav Kapoor opines that given the fast-evolving developments in this area and the vast economic potential, the Committee's Report proposes a new classification of a business called 'Data Business' which collects and manages personal and non-personal data. In a scenario where few companies with access to large data sets accumulated in a largely unregulated environment could allow the possibility of creating data monopolies. A large consumer market such as India could lead to the creation of imbalances in bargaining power and competition. Therefore, it becomes necessary to catalyze and regulate the Data Businesses in a way that maximizes overall welfare and at the same time, meets the requirement to provide certainty and incentives for new business creation for India and its citizens.
"RE-IDENTIFICATION OF ANONYMIZED DATA" NEEDS ADEQUATE MEASURES TO ENSURE IT DOES NOT DILUTE THE PROTECTIONS UNDER THE BILL.
The Committee's report deliberates on the potential harms from privacy violations due to "re-identification of anonymized data", or from the derivation of personally identifiable insights from non-personal data. The Committee evaluated what will happen in case there is re-identification from non-personal data.
The interface between personal data and non-personal data framework is more real and complicated than envisaged. If the individuals whose data constitute the anonymized dataset are re-identified, such data would no longer be characterized as anonymized data and will once again fall within the purview of the Bill. Adequate measures should be developed to ensure that any data-sharing framework does not dilute the protections afforded by the Bill.
THIS MAY BE THE RIGHT TIME TO REGULATE THE PERSONAL AND NON-PERSONAL DATA ECOSYSTEM AND LENDING CERTAINTY
A combination of a first-mover advantage for large data-driven platforms and businesses has left many new entrants and start-ups squeezed and faced with significant entry barriers. This may be the right time to set out rules to regulate the data ecosystem to provide certainty for existing businesses and incentives for new business creation.
IT IS NATURAL THAT DESPITE CONSULTATIONS, DIFFERENCES BETWEEN STAKEHOLDERS MAY PREVAIL
Na. Vijayashankar opines that it is a complex law, and it is natural that despite elaborate consultations and accommodations, differences between stakeholders may prevail. The Tech Start-Ups will be happy that there is a 3-year window for them under the sandbox scheme. The IT/BPO segment may be happy with the provisions to seek exemption for application of the Act to process personal data of foreign nationals.
The need for registration of a Significant or Guardian Data fiduciary with the DPA with the disclosure of the Data Trust Score could pose some challenges to the parts of the industry processing sensitive information in the health and financial sector.
INNOVATIVE PROVISIONS STRENGTHEN THE REGULATION AND PROVIDE OPPORTUNITIES FOR NEW STANDARDS OF DATA PROTECTION
In sync with B. Murali and Dhwani's view that the need to file the Privacy By Design policy with the authority also could be a challenge, Na. Vijayashankar Naavi however opines that it is like filing a prospectus with SEBI before raising funds from the public. It is as if the "Collection of Personal Data from the public" is similar to raising funds in the Capital market.
The concept of DTS is similar to the Credit rating of an instrument and provides an opportunity for Personal Data Investors to assess the acceptability of a data fiduciary. This will be particularly handy when choosing the Consent Managers. This will strengthen the regulation and provide opportunities for new standards of data protection like the Personal Data Protection Standard of India which may eventually replace the imported data protection standards.
On a similarly positive note
Vineet Vij, Group General Counsel at Tech Mahindra welcomes the Bill as establishing a much-needed robust and stringent data protection framework for the country and ensuring accountability for those processing personal data or the data fiduciaries.
THE INTRODUCTION OF SOCIAL MEDIA INTERMEDIARIES AS DATA FIDUCIARIES IS SIGNIFICANT
Vineet Vij opines that the introduction of social media intermediaries as data fiduciaries in a world where social media plays a major role in each sphere of life is truly significant in its nature and effect in so far as for creating and upholding measures that protect the privacy of social media users.
Further, powers given to the Government to designate large data fiduciaries, whose usage is higher than the threshold as "significant data fiduciaries" complimenting the powers vested with DPA is also very notable to protect the country's sovereignty. However, it still needs to be seen how the enforcement would pan out and its economic impact for players directly affected by this provision.
The Bill also brings more accountability in dealing with sensitive and personal data of the citizens by both private and government organizations. When it comes to dealing with consumer's data, the Bill puts consumers in control of their data. It facilitates them with a transparent and effective environment to know how, where, and why their personal data is being processed.
THE BILL HAS A WIDER SCOPE AND IS EVEN MORE STRINGENT THAN EU'S GDPR
The Bill appears to be more comprehensive in terms of data privacy provisions and provides ample scope to the Government to enlarge the definition of sensitive personal data. It may have wider scope in some areas than the EU's GDPR and the California Consumer Privacy Protection Act.
Further, the Bill is significantly more stringent than the GDPR in terms of responsibility for defining the "Reasonable Purposes" for processing the data without consent. Under GDPR, it is the Data Controller who is responsible to determine the Reasonable Purpose, however, under the Bill, it is DPA who will ascertain the Reasonable Purposes.
EXISTING AMBIGUITY ON KEY ISSUES MUST BE ADDRESSED
Vineet Vij urges there may still be few areas that can lead to ramifications if unaddressed. For example, the Government has the power to exempt data processors that process the personal data of data principals who are outside the territory of India. The extent and grant of such exemption require more clarity.
Further, the transfer of data outside India and critical personal data by the Government can only be processed in India, this can have far-reaching implications on the ease of doing business. Pre-requisites for storage of such data have not been laid down.
STANDARDS FOR ANONYMIZATION OF DATA NEED TO BE SPECIFIED
Like experts Dev Bajpai, Murali and Dhwani, and Salman Waris, Vineet Vij also expresses concerns over the power of the Central Government to direct data fiduciaries or data processors to share anonymized data or non-personal data. He makes a case that it can have a far-reaching impact. The Bill is silent on preventive measures for protecting the anonymized data shared by data fiduciaries or data processors. Standards for anonymization of data are also conspicuously absent in the Bill. The recent Schrems II judgment by the Court of Justice of the EU has invalidated the US-EU Privacy Shield on grounds of invasive US surveillance activities encroaching the true spirit of privacy right of an individual. Ideally, all such disclosures should be a result of collaborative decisions and comprehensive guidelines rather than being at the direction of the Central Government alone.
THE BILL TAKES A TOUGH STANCE ON PROTECTING CHILDREN.
Vineet Vij notes a significant provision on protecting children from being profiled or targeted online. DPA classifies any data fiduciary that operates an online service or commercial website directed at children, or processes large volumes of children's personal information as a "guardian data fiduciary." It prohibits them from profiling, tracking, behaviorally monitoring, or directing targeted advertising towards children.
Neera Sharma CEO/CLO at Sistema Smart Technologies Limited also notes that the Bill helps to protect vulnerable classes like children, LGBT Community and Patient Data. The Bill would provide more control and transparency to consumers, enabling them to become 'owners' of their information. Data accumulated on or from a consumer can't be given to third parties without the consent of the consumer.
THE BILL BRINGS TRANSPARENCY TO HOW THE GOVERNMENT HANDLES CITIZENS' DATA.
She opines that the Bill would hold both private and government organizations accountable for the usage of sensitive and personal data, which will bring more transparency in terms of how the government, one of the largest data collectors in the country, handles citizens' data. This measure may diffusely help the government put up additional mandatory security measures to protect this category of data.
THE PERTINENCE OF THE BILL IS EXTRA-TERRITORIAL.
Neera Sharma observes that the pertinence of the Bill is extra-territorial. It seeks to protect the data of not only Indian citizens but any data principally within the territory of India being processed by Indian companies or MNCs situated in India/Outside. Data audits, trust scores, security parameters, etc., would pave the way for a uniform data protection structure resulting in stronger security measures to protect citizens' data.
LOCALIZATION OF DATA NEEDS RETHINKING.
In sync with Pavan Duggal's concerns on the Localization of Data under, Neera Sharma expresses that it is a considerable setback for many global players. This will have a larger economic impact. The free flow of information makes the world, if not a better place but certainly a more efficient one. Industry experts are raising larger geopolitical concerns about digital protectionism resulting in AI nationalism.
THE BILL EXEMPTS GOVERNMENT BODIES.
Neera Sharma raises another pertinent question. Unlike the GDPR which has a uniform application of the law, the Bill grants the Central Government the power to exempt any government agency from the application of the Act, opening the door for misinterpretations and misuse of the law.
A STRONG AND ROBUST DATA PROTECTION LAW WILL BECOME A FOUNDATION FOR THE DATA ECONOMY IN INDIA.
The overarching view is let's welcome the era of personal data protection. The Bill is remarkable as it changes the milieu in which personal data of the citizens is collated and processed and it paves the way for a better socio-economic world with strong data privacy and security regime.
As Dev Bajpai urges, as a nation, we should do everything to harness the power of data and, equally, be sensitive to personal data, its collection, processing, storing, and transfer. This requires a modern law that is practical, easy to implement, and helps the cause of ease of doing business.