Data Protection Law Gets Closer to Reality With Stiff Penalties for Data Leaks And Breaches
The Personal Data Protection Bill which got the Union cabinet’s nod earlier this week, will be tabled in this parliament session, which concludes on December 13. It was in July last year that the Justice BN Srikrishna-led committee submitted its draft bill to the Ministry of Electronics and Information Technology (MEITY). The idea being simple—to create a powerful data protection law in India. The draft was finalized after a year of consultations with various stakeholders and came just after the European Union General Data Protection Regulation (GDPR) came into force in May last year. The Personal Data Protection Bill, 2019 is important because of the urgent need to regulate data protection and data privacy, be it for online platforms, apps, social networks and web-based services including those offered by the government.
For consumers, the Data Protection Law, when it finally becomes one, will mean that any and all data which they share must be collected only after their explicit consent. All the collected data will be categorised under general, sensitive or critical. There will also be safeguards to prevent misuse of the data and still penalties in case a user’s data is used without their consent.
“We welcome the Cabinet’s decision to pass the bill on personal data protection. This bill will help India and its citizens to fight threats and safeguard our country’s data integrity, sovereignty and security,” says Ramesh Mamgain, Area Vice President India and SAARC Region from Commvault, a data management company. At present, there are no data laws that govern the collection policies and safeguarding of personal data and no penalties that can be deployed in case an entity misuses the data they collect. “With there being constant news about how user data has been compromised / misused by people with malicious intent, there is an increasing need to have proper guidelines in place to secure confidential data. We welcome the initiative by the Government of India to table the data protection bill in the current session of parliament. The bill is expected to spell out a framework, which would include the processing of personal and private data by public and private entities,” says Bhavin Turakhia, Founder & CEO, Flock. Flock is a communication platform and allows users to collaborate for project management and more.
Any companies or entities found violating the conditions of data sharing as laid down by the Personal Data Protection Law could face penalties of up to Rs 15 crore, or 4 percent of their global turnover, it is being reported. At the same time, a data breach will be penalized with a fine of up to Rs 5 crore of 2 percent of the global turnover of the organization in question. “As per the draft proposal, hefty penalties will be imposed on entities that violate the privacy of users. This is a good step and we hope that the bill will have a proper balance of data privacy and protection, which will lead to increased transparency,” adds Turakhia.
For the data collection to be valid and legal, the Data Protection Bill, 2018 states that it is “free, having regard to whether it meets the standard under section 14 of the Indian Contract Act, 1872 (9 of 1872); informed, having regard to whether the data principal has been provided with the information required under section 8; specific, having regard to whether the data principal can determine the scope of consent in respect of the purposes of processing; clear, having regard to whether it is indicated through an affirmative action that is meaningful in a given context; and capable of being withdrawn, having regard to whether the ease of such withdrawal is comparable to the ease with which consent may be given” The most important aspect of this clause perhaps is the last part, which talks about making it easy for the original owner of the data, that is you and I, to be able to withdraw the data that we may have shared in the first place, for whatever reason we may want to. Also, the bill outlines a legal framework to preserve the sanctity of consent in data sharing and penalize those breaching privacy norms, thereby giving citizens more power and control over their digital personas and the associated data,” says Neelesh Kripalani, Senior Vice President and Head, Center of Excellence, Clover Infotech.
“The data fiduciary shall not make the provision of any goods or services or the quality thereof, the performance of any contract, or the enjoyment of any legal right or claim, conditional on consent to processing of any personal data not necessary for that purpose,” clarifies the Data Protection Bill, 2018. This means that a service provider (specified here as data fiduciary) cannot ask for any other data apart from what is strictly necessary to provide a service in return. “The Personal Data Protection bill is a step in the right direction. I think every individual should have the right to ascertain the extent of exposure of sensitive and private data. By viewing the data as sensitive, critical and general as against putting it all in one bucket, the government will enable users to have a seamless digital experience while knowing that the data will be processed, stored and protected under a strict lawful guideline,” adds Kripalani.
The new law could mandate that data collected from Indian users must be stored within the geographical boundaries of India as well, even if there is a copy of that data anywhere else in the world. This will be particularly important for social media companies and tech companies such as Facebook which owns WhatsApp, Google and Twitter to keep a copy of the data in India as well. The law could mandate that any financial data must also be saved within India, and any data that falls in the critical bucket needs to be saved within India as well.
Incidentally, the Data Protection Bill, 2018 draft recommendation doesn’t seem to give the users any ownership of the data they share with companies or other individuals for a service or the right to erasure of data that was previously shared, for instance. This is in stark contrast to the Telecom Regulatory Authority of India (TRAI) recommendations on data sharing with any entity in the telecom sector. The TRAI recommendations clearly state “In respect of the ownership of personal data, the Authority is of the view that the individual must be the primary right holder qua his/ her data. While the right to privacy should not be treated solely as a property right, it must be recognized that controllers of personal data are mere custodians without any primary rights over the same.” This simply means that any data that you share with any company still belongs to you, and the companies don’t have any ownership or the right to use that without your permission. It will be interesting to see if that changes.