On 27 July, India got a glimpse into what could be its own version of the EU GDPR (General Data Protection Regulation). The EU GDPR aims at protecting personal data of EU citizens and brings accountability to companies, globally, dealing with such data to prevent misuse and unauthorised access.
Indian Personal Data Protection Bill (PDPB) was drafted by a panel headed by Justice B.N. Srikrishna, following the submission of the draft bill and data protection report in July. The draft of Personal Data Protection Bill, 2018 restricts and imposes conditions on the cross–border transfer of personal data and suggests setting up of Data Protection Authority of India to prevent any misuse of personal information. Violation of bill can penalise any data collection company for the amount of INR 15cr or 4% of its total worldwide turnover, whichever is higher. Failure to take prompt action on a data security breach can further attract a penalty of up to INR 5cr or 2% of turnover, whichever is higher.
The draft bill defines the act of data handling by defining terms such as processing and profiling. Processing includes collection, storage, alteration, indexing, dissemination, and erasure of the data. Profiling is defined as an act of analysing personal data to identify a person’s past behaviour and predict his / her future behaviour. This may hint at the political sensitivities around social media analytics. The draft also identifies entities that deal with data and will be regulated, including persons, state, company or any juristic entity. It also includes the “right to be forgotten”, where an individual can request for personal data to be deleted. According to the draft, any processing of sensitive personal information will require an explicit consent.
RBI had released a prior circular along similar lines on 6 April, which read “All system providers shall ensure that the entire data relating to payment systems operated by them are stored in a system only in India by 15th October. This data should include the full end–to–end transaction details / information collected / carried / processed as part of the message / payment instruction.” For the overseas leg of a transaction, the data may be stored in the foreign country.
For multinational companies this would translate into an increase in their compliance and infrastructure costs, and affect planned investments. They claim that even if data mirroring is allowed, they will still need an extension till December. Recently, top US senators have asked government to take a soft stance as this might undermine economic goals.
While it has garnered initial criticism from industry circles as being overly stringent, less flexible, a threat to personal privacy, and difficult to implement, it also brings about positive change in the way India starts taking personal data protection seriously. The draft law makes it mandatory for companies to disclose any data breach involving personal data which is a serious missing mandate in any available regulations.
The IT ministry has received more than 400 responses on the draft of bill and will consider all suggestions before its proposed introduction in the winter session of the Parliament.