It’s Time to Fix the Gaping Hole in Data Protection Bill

IT services provider Cognizant recently said the Personal Data Protection Bill – if enacted in its current form – would impose stringent obligations on the handling of personal data, including certain localization requirements for sensitive data.

“Complying with changing regulatory requirements requires us to incur substantial costs, exposes us to potential regulatory action or litigation, and may require changes to our business practices in certain jurisdictions, any of which could materially adversely affect our business operations and operating results,” the IT firm said in a recent article in Economic Times.

Other countries have enacted or are considering enacting data localization laws that require certain data to stay within their borders, Cognizant said in its annual report, highlighting it as ‘risk factors to business for the coming year’.

While the PDP Bill is a major step forward in ensuring that Indians gain more control over their data, there are certain provisions that can be modified to better suit this purpose.

Demand for greater clarification

This is not the first time an organization has raised its voices against the set norms in the PDP Bill. Experts have demanded clarification in several areas of ambiguity that exists in the draft Bill which needs to be better clarified for businesses to fully comprehend the extent of adjustments businesses will have to do to comply with them.

In December, the Internet and Mobile Association of India (IAMAI) shared its concerns about the PDP Bill. IAMAI had said that some of the norms of the bill can be restrictive for service providers and enterprises and may not be inclined towards India’s target of a $1 Trillion digital economy by 2024.

Modeled on similar concepts of the European Union’s General Data Protection Regulation (GDPR) that came into existence on May 25, 2018, the PDP Bill bears some striking similarity with the former, particularly in areas of granting rights to individuals and those levying penalties.

For example, a company may have to pay a penalty of up to Rs 15 crore or 4% of its global turnover if found violating norms under the Bill. Failure to conduct a data audit will attract a fine of Rs 5 crore or 2% of the annual turnover of the company. This automatically involves a lot of costs, which may be extremely difficult for smaller companies to bear.

Further, a provision in point is Section 25, which allows the Data Protection Authority, the designated regulatory body, the discretion of informing an individual of breach of his/her data. Such a provision should be done away with, and leaks, and should be directly intimated to the concerned individual, believe experts.

An observation of various sectors such as banking and insurance illustrate that the concerned authorities namely, RBI and IRDA, have formulated rules and regulations concerning data protection in that particular sector. For a seamless and comprehensive data protection law, it is imperative that such powers must reside solely with the Data Protection Authority. Moreover, with the latter consisting of technological experts, it is only natural that the guidelines regarding data protection be formulated by them. Currently, the Bill makes no clear mention of such provisions, and the same can be added.

Read more: Data Privacy Fines of $126M in Post-GDPR Era

SMB, startups to feel the pinch

Community social media platform, LocalCircles, noted in a survey that 45% of respondents – mostly startups and SMBs – oppose the government’s right to seek anonymized data of their customers and suppliers.

The survey highlighted that Indian startups, which shift their base out of India because of the dearth of resources in the country, should be allowed to share aggregate data with their overseas entities. Similarly, foreign companies, which acquire Indian startups and plans to go global, should also be allowed to use aggregate data. However, as companies spend a significant amount of resources to collect data and it is one of the core value propositions, they believe that sharing of this information can put all their efforts at risk.

“Some short-term disruptions are possible, but the answer to this would be significant investment in data governance. It will impact smaller providers more because they have to create special provisions, change processes and systems of transferring data,” said DD Mishra, Senior Director Analyst at technology research house Gartner.

As Sheril Jose, Head- Cyber Security at Pune-based Emcure Pharmaceuticals sees technology companies will have to invest in changes to data architectures, including local data centers, once the Bill becomes law.

As per the norms laid out in the bill, all companies should store their data on local servers in India, IAMAI  earlier mentioned in a report that the bill categorizes data as Personal data, Sensitive Personal data and Critical Personal data, but the industry lacks clarity on to which data qualifies under which head and hence is not equipped to take necessary precautions.

“The problem gets aggravated when data collection and processing are done by different agencies, in which case, each fiduciary will have to take consent at every step of the operation,” said the report.

Read more: Data Protection Law Shifts Spotlight on CISOs

The IT sector also needs greater certainty on the scope and issuance of the exemption, as “financial data” continues to be defined broadly under the Bill. As a senior Nasscom official noted, “This is an area of concern, especially with reference to employee data processing for operations such as payroll services that requires processing of financial data.

“Given that explicit consent is the only ground for processing sensitive personal data, the classification of ‘financial data’ as sensitive personal data poses potential problems for other business operations such as risk management, fraud detection, among others,” it noted.

Further, the PDP Bill does not provide for any transitional provisions and timelines for implementation. Experts hope that the Bill must provide companies sufficient time to conform their business practices so as to ensure compliance to it.

In spite of these lacunae, this Bill, considering the inefficacy of the Information Technology Act, 2000, is a landmark legislation and was long due. A few modifications can set it on the right track, believe experts. Precise drafting of provisions and a people’s privacy-centric approach can help it become a big success story; else it will be seen as one of the biggest blunders in the legislative history.