The much-anticipated data protection bill of India was introduced this week by Bhartiya Janata Party in Lok Sabha which leverages new constraints on how corporations in the country can collect and use the information of 1.3 billion people and empower the latter to take control of their individual information.
The legislation is based on the recently enacted privacy protections of Europe. While Europe’s legislation gives its residents their ability to request and possess authority over their online data, experts believe that such move of the Indian government will bring it quite close to China that tightly supervises its internet activities.
Notably, the ‘Personal Data Protection Act, 2019’ is a data governance framework that restricts organizations dealing with people’s personal data to restructure their data management, and regulates practices to protect individual’s privacy and personal data. The bill lays down the rule for them mentioning what they can and can’t do.
Salman Waris, head of the technology practice at TechLegis, a New Delhi law firm said, “it gives a semblance of owning your data and having the right to know how it is used, to the individual, but at the same time it provides carte blanche to the government.”
However, the legislation would pose fewer restrictions on the government’s own use of sensitive data on its residents. This includes the fingerprint and iris scans that are essentially a part of the Aadhaar national ID system.
The bill also reads that “all or any of the provisions of this Act shall not apply to any agency of the Government in respect of the processing of such personal data.” This makes it clear that the loose ends of this allow the government to gather the data of its citizens, apparently to fulfill governance responsibilities.
Well, in theory, the rules would apply to government agencies but the central government will be granted wide power to exempt any public entity from the requirements for reasons such as national security or public order.
How will it impact individuals, organizations, government, and regulators in India?
• The proposed bill places individual rights at the core of data protection.
• As per the bill, people’s personal information cannot be collected, processed or shared without their consent and permission.
• An individual’s data can be used for clear and pre-defined purposes and only necessary data can be collected.
• The privacy policies of companies need to be clear and concise constituting as a plain language description of collected data, its purpose, its mode of use and duration for which it will be retained.
• People can move their data from one provider to another and ask any organization about the data they have about them. They can also request it to be deleted, and even can withdraw their consent at any time.
• Private companies will be entitled to bring a lot of change into their system – from technical changes in engineering architecture to modifying business processes.
• They will also need to place limits on data collection, processing, and storage.
• The companies will need to build technical security safeguards, such as de-identification to prevent an individual’s identity to be inadvertently revealed and also encryption needs to be built-in.
• They need to immediately inform the regulator in case of any data breach.
• Sensitive personal data needs to be stored and processed in India and cannot be processed outside of boundaries without the regulator’s approval.
• As the bill quotes, the government can ask companies to provide “anonymized” or “non-personal data” for policy-making or other public goods.
• The bill provides government complete discretion to exempt any of its agencies from the law citing public order, national security and friendly relations with foreign states.
• According to Justice BN Srikrishna, “the bill will turn India into an Orwellian state. They have removed the safeguards. That is most dangerous. The government can at any time access private data or government agency data on grounds of sovereignty or public order.”
• The government’s access to personal information of people is extremely dangerous as it has significantly more powers.
• The legislation has established a new privacy regulator, the Data Protection Authority of India (DPA) which will in charge of defining standards, prevent misuse of personal data, monitor compliance and promote awareness about data protection.
• It can also conduct inquiries based on its own complaints or those it receives.
• The bill embellishes it with the power to penalize offenders ranging from financial payouts to criminal sanctions.
• As India does not have clean reportage for effective administration and implementation of rules, it is necessary to strengthen the capacity of the new regulator for the successful implementation of the proposed law.
Differences and similarities between the EU’s GDPR and India’s PDP Act, 2019
• Framework is one significant difference between both the regulations as they are built around deciding whether or not data can leave the country. Although both the legislation gives the government authority to decide if data transfers can occur outside the country, GDPR transparently lays down the cautious parameters of this decision.
• EU’s GDPR precisely addresses personal harm from automated decision-making while Indian legislation requires an assessment in cases of large-scale profiling. Also, the latter does not provide the right to the citizen to object to profiling, except in the cases of children.
• The PDP bill of India has a sub-category of personal data called ‘sensitive personal data’ including health, financial, caste, and biometric data. Although the category resembles the list of “special categories” in the GDPR, the EU’s regulation does not have separate localization rules for this type of data.
• Both the legislation have been allowed the data processing for prevention, investigation, detection, or prosecution of criminal offenses. GDPR and PDP bill discuss “public security”, “defense”, and “judicial” proceedings.
• EU’s GDPR and India’s PDP bill, are based on the concept of consent which means data processing should be allowed when the individual allows it.
• Both provide similar rights to the individual that includes: the right to correction, the right to data portability, and the right to be forgotten.
• Both regulations have some similar duties like – dispute resolution and codes of conduct.