The government on November 18 released the draft of the Personal Data Protection Bill, aiming to provide a framework for a strict user-consent regime for data processing, as well as a penalty of up to Rs 500 crore for data breaches by social media and internet companies.
However, the government released the ‘Explanatory Note on Digital Personal Data Protection Bill, 2022’ after the draft of the bill was announced.
According to the document, which is available on the website of the Ministry of Electronics and Information Technology: “It has become clear over the last few years that while the internet and technology is a force for good and connectivity, it is also a place where user harm and misuse can exist if these rules and laws are not prescribed. That is why laws and rulemaking for the internet have to be around the basic foundational principles and expectations of our citizens of openness, safety, trust and accountability.”
The document also noted that while this data is used by platforms and intermediaries, it has become clear in recent years that the data and personal data “must be subject to a framework of rules and dos and don’ts”.
DATA ECONOMY
It is said that the bill is based on a few principles around the data economy. This includes the fact that the usage of personal data by organisations should be done in a manner that is lawful, fair to the individuals concerned and transparent to individuals.
The second purpose limitation principle is that personal data is only used for purposes for which it was collected, while the third data minimisation principle is that only personal data required for a specific purpose should be collected.
The fourth principle of personal data accuracy is that reasonable efforts are made to ensure that the individual’s personal data is accurate and up to date.
The fifth, storage limitation principle is that personal data is not stored indefinitely by default. It is said that the storage should be limited to the time required for the stated purpose for which personal data was collected.
Another principle states that reasonable safeguards are put in place to prevent the unauthorised collection or processing of personal data. This is done to prevent the theft of personal information.
The last one says that the person who determines the purpose and means of processing personal data must be held accountable for that processing.
The Centre stated that it considered global best practices, including a review of Singaporean, Australian, European Union, and prospective federal legislation in the US.
While sharing chapter-wise summaries, the document highlighted: “The Bill will establish the comprehensive legal framework governing digital personal data protection in India. The Bill provides for the processing of digital personal data in a manner that recognizes the right of individuals to protect their personal data, societal rights and the need to process personal data for lawful purposes.”
THUMBS UP OR DOWN?
Amit Jaju, Senior Managing Director at Ankura Consulting Group (India), told News18: “This time it is called Digital Personal Data Protection Bill. I think it is far from final and would need multiple iterations before becoming practical.”
According to him, this time it is much more simplified, the non-personal data is kept out of the ambit and the focus is more on financial penalties than a criminal conviction.
However, the industry insider said: “Not bringing Data localisation under a requirement will make it difficult to detect and investigate non-compliance and breaches. This is the single biggest gap in the latest draft and is in contradiction to other regulatory requirements such as from the RBI and Cert-In.”
Additionally, he said: “Fines are too high as absolute values and not as a fraction of revenues or net worth. It will be impractical to impose a fine of Rs 500 crore on a start-up. Remember, everyone will get hacked at some point. There is less focus on enabling breach investigation.”
Another expert from the industry, Sandip Kumar Panda, Co-Founder and CEO of Instasafe Technologies, said that the bill is a much-needed law that has been pending for years.
He highlighted that India, a host to the second-highest population of smartphone users, is prone to data breaches in social apps.
“So, with this revised data protection bill, cybersecurity became the forefront of data management. Since the coming of the guidelines, tech firms will now pay special attention to data protection, privacy and residency,” he added.
But he also noted that with hefty penalties, it might be a burden for small and medium organizations to meet compliance needs.
Pankit Desai, CEO and Co-Founder of the cybersecurity firm Sequretek, said the biggest change the revised draft of the data protection Bill proposes is the concept of trusted countries.
According to him, it means that data of Indian citizens will be allowed to be stored in these “trusted countries, which are those nations that are still being decided”, but now the global companies will have options to store data outside of India.
“I’m trusting these trusted geography countries would be where we’ll have reciprocal relationships in terms of us being able to access the data as well as enforcement of laws,” he added.
Furthermore, the expert said: “The original bill envisaged criminal penalties and jail time in case of a breach and they’ve done away with it and added only civil penalties, which is the right way to look at it.”
However, he said: “What the government have also tried to do is, instead of a lump sum, it has linked the cost of the penalty to the number of records that have been breached. The bigger the breach, the bigger the impact and bigger the penalty, which is the right way to do it.”
Meanwhile, Manish Sehgal, Partner, Deloitte India, told News18 that the new title of the bill signifies the intent to continue pushing the digitization agenda thereby offering a legal framework to govern the collection, usage, processing, and storage of digital personal data.
However, he stated that the bill’s exemptions for Central and State agencies, along with the exclusion of personal data stored and or processed in non-digital (original/handwritten/paper) format “may be a gap” to protect personal data and ensure privacy in entirety.
Sehgal said: “Data principles are responsible to provide verifiably authentic personal data while exercising their rights. It’s interesting to note that the bill has also proposed a penalty of Rs 10,000 for non-compliance of duties expected of a data principle, which isn’t a common trend.”
“This is likely to promote authenticity in data principal requests and limit non-legitimate requests,” he noted.
Furthermore, the industry expert pointed out that the Bill offers a relatively soft stand on data localization requirements and permits data transfer to select global destinations basis some predefined assessments.
According to him, “This is likely to foster country-to-country trade agreements, make it relatively easier for global enterprises to operate and process data with their current set-up rather than mandatorily developing large infrastructure in India for storing and processing of personal data.”
Meanwhile, Shahana Chatterji, Partner, Shardul Amarchand Mangaldas and Co, appreciated the release of this long-awaited bill.
However, she said: “In particular, we note that many obligations applicable to data fiduciaries and processors and mechanisms relating to data processing have been simplified, which will likely enable easier compliance.”
“A significant portion of the rulemaking is likely to occur through rules and guidelines to be issued under the proposed law. We look forward to working with the government in developing these rules and the emerging data protection framework in India and supporting its aim of a $1 trillion digital economy,” Chatterji noted.
Read all the Latest India News here
Comments
0 comment