Data Privacy Day: India’s PDP Bill Needs Clarification
By Sohini Bagchi
India’s proposed Data Protection Bill (PDP) 2019 which aims to help consumers and businesses to exercise their privacy rights needs a proper structural framework, believe experts. As the world observes Data Privacy Day on January 28, experts and industry bodies in India seek greater clarification on the areas of ambiguity that exists in the draft Bill – that is likely to be the custodian of data privacy norm in India.
The PDP Bill 2019 was introduced in the Lok Sabha on December 11, 2019 by the Ministry of Electronics and Information Technology, has been referred to a Joint Parliamentary Committee of both the Houses. The Committee has been constituted under the chairmanship of New Delhi MP Meenakashi Lekhi for examination and report.
The PDP Bill – modeled on similar concepts of the European Union’s General Data Protection Regulation (GDPR) that came into existence on May 25, 2018 – undoubtedly is a welcoming step to ensure the protection of sensitive personal data, has garnered a lot of praise as well as criticism.
Read more: Data Privacy Fines of $126M in Post-GDPR Era
“Although the PDP bill aims to play a vital role in fabricating regulations for governing the increasingly data-driven landscape, without a structural framework data privacy becomes a cause of concern,” Sheril Jose, Head- Cyber Security at Pune-based Emcure Pharmaceuticals.
The draft Bill empowers the government to ask companies including Facebook, Google and others for anonymizing personal data and non-personal data. Community social media platform, LocalCircles, noted in a survey that 45% of respondents – mostly startups and SMBs – oppose the government’s right to seek anonymized data of their customers and suppliers.
The survey highlighted that the Indian startups, which shift their base out of India because of the dearth of resources in the country, should be allowed to share aggregate data with their overseas entities. Similarly, foreign companies, which acquire Indian startups and plans to go global, should also be allowed to use aggregate data. However, as companies spend a significant amount of resources to collect data and it is one of the core value propositions, they believe that sharing of this information can put all their efforts at risk.
As per the norms laid out in the bill, all companies should store their data on local servers in India. A report by the Internet and Mobile Association of India (IAMAI) in December said that the bill categorizes data as Personal data, Sensitive Personal data and Critical Personal data, but the industry lacks clarity on to which data qualifies under which head and hence is not equipped to take necessary precautions.
“The problem gets aggravated when data collection and processing are done by different agencies, in which case, each fiduciary will have to take consent at every step of the operation,” said the report.
In fact, there are concerns around a provision in the draft bill, seeking to allow the use of personal and non-personal data of users in some cases, especially when national security is involved.
Venkat Krishnapur, Vice-President of Engineering and Managing Director, McAfee India, said the provision will give the government unaccounted access to personal data of users in the country. “Businesses need clarification to fully comprehend the extent of adjustments they will have to do to comply with them. The onus lies equally on the users to be aware, informed and vigilant about how their data is being harnessed,” he said.
Industry body Nasscom has also sought more clarification on certain provisions of the Bill, stating that, in particular the IT-BPM sector will need greater certainty on the scope and issuance of the exemption, as “financial data” continues to be defined broadly under the Bill.
“This is an area of concern, especially with reference to employee data processing for operations such as payroll services that requires processing of financial data. Given that explicit consent is the only ground for processing sensitive personal data, the classification of ‘financial data’ as sensitive personal data poses potential problems for other business operations such as risk management, fraud detection, among others,” it noted.
Another contentious issue has been the role of the data protection authority. “The Bill talks about establishment of the Data Protection Authority of India. Organizations would want to understand the clear roles of the authority and how it impacts them,” said Jaspreet Singh, Partner – Cyber Security, EY.
Further, the PDP Bill does not provide for any transitional provisions and timelines for implementation. “We are hopeful that the PDP Bill ultimately provides companies sufficient time to conform their business practices to ensure compliance to the PDP Bill. Nevertheless, corporates in India that would get categorized as a data fiduciary under the PDP Bill should review their existing data protection framework,” said Srinivasan CR, Chief Digital Officer, Tata Communications.
With many more high-profile security breaches predicted in the 2020s, companies demand a strong framework of data privacy to ensure customer privacy. Experts believe those organizations that fail to protect user data and share it a responsible manner will eventually be out of business.