Need to Know Series: The Indian Personal Data Protection Bill
GDPR has jump-started a global data privacy movement. Different American states have introduced, and in some cases passed, legislation to provide better data privacy to citizens. And in late July, India released the Personal Data Protection Bill 2018.
The privacy legislation was jump-started by an Indian Supreme Court decision that claimed privacy is a fundamental right and challenged government to come up with a “a regime for data protection.” According to Inside Privacy, some of the provisions in the bill include:
- Grant rights to data principals;
- Require organizations hire Data Protection Officers;
- Establish a Data Protection Authority; and
- Add stiff penalties and fines for violations.
“The new Indian Data Privacy Law is definitely inspired in large proportions by GDPR,” said Callum Corr, Data Analytics Specialist at ZL Technologies. “If you take a look at the fundamental base of this regulation, it is asking that all organizations around the world handle Indians’ personal data in a similar way to how GDPR asks for companies that deal with EU personal data.”
Why India Needs a Data Privacy Law
India has long been a global leader in information technology, but its data privacy protections have been lax. According to The Hindu Business Line, the current privacy law, Sensitive Personal Data and Information, was introduced in 2011, but had been inadequate in providing real data protection. The law that currently covers data protections within India’s technology industry, the Information Technology Act, 2000, focuses on areas like data collection and usage, it doesn’t address data storage or user consent.
“The proposed Data Protection Bill 2018 essentially makes individual consent central to data sharing,” the article stated. “The report notes that the right to privacy is a fundamental right. Unless you have given your explicit consent, your personal data cannot be shared or processed.” This is an upgrade from the current law.
The new bill could also show the rest of the world that India is taking data privacy seriously and could encourage global industries, especially those with a strong ecommerce platform, to do business in India. “This law begins a move toward making sure foreign global companies treat India with respect,” said Corr. “Understanding the patterns of how consumers communicate, what they buy, where they travel and more, could be invaluable for many businesses and India is keen to protect that data.”
How the Tech Industry Views India’s Privacy Bill
India’s tech industry appears to be onboard with the bill and is stepping up efforts to monitor data use and storage. For example, Forbes points out the efforts of Microsoft India, which “launched free online courses that will allow students, businesses, and legal professionals to understand data compliance, basics of GDPR and other best practices in security. Indian banks and insurance companies are among the early movers in building blockchain infrastructure, which can safeguard customer data.”
However, global tech companies aren’t as enthusiastic about the bill and plan to oppose the legislation, according to Reuters. The tech giants claim turning the bill into law would increase infrastructure and compliance costs and could hurt investments in these companies. In a letter to be sent to India’s information technology minister, Reuters reported, the tech companies stated, “The potential fear of restricting cross-border data flow would impact the business models of several Indian as well as global companies. Fear of restrictive regulation has the potential to negatively impact the flow of foreign investments.”
Facebook is one of the companies fighting against the bill; yet, it was Facebook’s lax data privacy controls and news that Cambridge Analytica gathered the data of millions of users, including Indians, that increased the profile data privacy concerns. While GDPR may be the regulation that got the ball rolling, it was Facebook and Cambridge Analytica that brought the issue to the average consumer.
Will It Work?
Tech companies aren’t the only ones who have concerns about the Personal Data Protection Bill. As the Hindu Business Line article pointed out, many think that the bill lacks the necessary heft needed for effective data privacy. “Ownership of data for one has been completely ignored,” the article stated. “The Telecom Regulatory Authority of India (TRAI) in its recent recommendations, had stated that each user owns his data and the entities processing such data are mere custodians. But the draft only treats data as a matter of ‘trust’ and not property unlike under the GDPR.”
There is also concern about loopholes built into the bill that would allow government to continue to have access to citizen’s personal data and the independence of the regulator’s authority.
In the end, if the bill becomes law, its effectiveness will come down to enforcement. “Any law is only as good as those who can consistently enforce its requirements,” said Corr. “We have already seen with GDPR, granted we’re in very early days, that enforcement agencies are stretched extremely thin when trying to tackle large corporations.”
And with more than a billion citizens, enforcement will be very challenging.
Like GDPR, the Personal Data Protection Bill will cover the data privacy of Indian citizens, but, again like GDPR, it is a regulation that will touch companies around the world. This means that companies must better monitor how they are handling personal data and be able to prove that, if information collected belongs to Indian citizen, then it must be stored within India.
“What these new laws might really prompt is for companies to move away from the idea of ring-fencing data,” said Corr. “Large organizations tried to protect EU data and manage it in a separate manner to data across the enterprise. With India’s law and as well as emerging laws in South America and even the US companies may be forced to manage all of their data consistently across the enterprise, which would be a fundamental shake up for most organizations around the world.”
Enjoy this piece? Check out our previous piece in the Need to Know Series: Salesforce & GDPR