This article has been written by Jai Khurana, pursuing Diploma in Technology Law, Fintech Regulations and Technology Contracts and has been edited by Oishika Banerji (Team Lawsikho).
it has been published by Rachit Garg.
Table of Contents
Introduction
Humans tend to work and grow every day in today’s ever-changing and evolving world. There is a creation of a lot of information regarding humans’ choices, nature, activities, etc. in the process of everyday functioning. Now let’s take an example; imagine that all the information which is connected to you, say your everyday functioning activities and timetable, your family members and personal relations, your bank account passwords, etc. is compromised by an entity without your consent or knowledge. This kind of situation may trigger astonishment and fear for many. Thus, to prevent such acts to occur and cause harm to an individual who does not know the extent of information shared and compromised, a Bill was introduced in the parliament namely The Personal Data Protection Bill, 2019 (The Bill). This article works towards discussing the Bill of 2019 and its impact on businesses in terms of opportunities offered, challenges faced and the cybersecurity considerations that were made. The article also throws light on the arrival and repeal of the Data Protection Bill, 2019.
What enticed the creation of the Data Protection Bill
The privacy and protection of data were considered and controlled by the Information Technology Act, 2000 (IT Act, 2000), and the Reasonable Security Practices IT (Amendment) Act, 2008. These legislations specify security safeguards for data collection, disclosure, and transfer of j information for entities processing the data. However, the aforementioned Acts and provisions could not take due care of the agenda of the development of the digital economy as IT Act, 2000 was not able to provide a broad definition of ‘sensitive personal data’. The Act which was drafted in the year 2000 comes to be recognised as a toothless tiger currently. The reason behind the same is the outdated provisions that are failing to keep up with the recent changes that are being brought about in the field of technology. Concerns are being raised therefore to locate a governing legislation that can define terminologies in relation to technology thereby benefiting its user.
The major contemporary issue for privacy arises with the creation of the Bill. The origination of the Bill can be tracked down when the question of privacy being a fundamental right under Part III of the Indian Constitution was raised in the case of Justice K.S. Puttaswamy (Retd.) & Anr. vs. Union of India & Ors (2018). Through six separate opinions, the Supreme Court of India had concluded that privacy is a distinct and independent fundamental right under Article 21 of the Constitution. The crux of the decision spelled out an expansive interpretation of the right to privacy – it was not a narrow right against physical invasion or a derivative right under Article 21, but one that covered the body and mind, including decisions, and choices, information, and freedom. Privacy was held to be an overarching right of Part III of the Constitution which was enforceable and multifaceted.
A Committee of experts was appointed by the Government namely Srikrishna Committee and it submitted its report in July 2018. The Report stated the obsoleteness of the IT Act, 2000 and recommended the Personal Data Protection Bill, 2019. The Committee noticed major loopholes in the relationship between the user and the service provider where there was an ‘asymmetrical distribution of power’ as the user had no knowledge and couldn’t control the diversity of the user’s personal information shared by the service provider to any entity. Moreover, the relationship was controlled not by a specific provision but by general clauses of the contract law. Thus, the Committee further recommended setting-up of an authority that would take control of all the aforementioned ill acts against the unaware user.
An overview of the Personal Data Protection Bill, 2019
The Personal Data Protection Bill, 2019 was introduced in the Lok Sabha by the Ministry of Electronics and Information Technology, Mr Ravi Shankar Prasad, on December 11, 2019. The Bill was introduced to protect a person’s (data principal) personal information from being shared and to establish the Data Protection Authority (DPA). This Bill would regulate the processing of information done by:
A. The government.
B. The companies are located in India.
C. Foreign companies which are engaged with the data and personal information of Indians.
Individuals/ companies (data fiduciaries) collecting such information and processing it would also be regulated and would be allowed to collect such information for a specific purpose only. Individuals covered under the Bill would also have certain rights like obtaining confirmation regarding the processing of information by the fiduciary, correcting the wrong information collected and processed by the fiduciary, and restricting continued disclosure of information to fiduciaries in case of the purpose being fulfilled for which the information was initially shared. Individuals further have a right to forget where they can ask the fiduciary to delete all the data regarding the individual. However, the Bill also establishes certain grounds where there is no consent requirement of the data principal for processing the data. This includes:
A. Information required by the state for the provision of benefits
B. Legal proceedings
C. Respond to a medical emergency.
Social media intermediaries would also be controlled under the Bill whereupon crossing a certain threshold; the intermediaries would have certain obligations including a voluntary user verification system. Sensitive data, if transferred out of India for processing, would be bound by certain conditions. Further, the transferred data must be stored in India too. The Indian Government would have the power under the Bill to exempt any of its agencies from the provisions of the Bill for:
A. The interest of the security of the state and friendly relations with foreign states
B. Preventing incitement to the commission of any cognisable offense
C. Prevention and prosecution of any offense
D. Personal, domestic or journalistic purpose.
A fiduciary would be punished with Rs. 15 crores or 4% of the annual turnover, whichever is higher in case of failure to transfer personal data in violation of the Bill, and Rs. 5 crores or 2% of the annual turnover, whichever is higher in case of failure to conduct data audit in time. The government can ask fiduciaries to share non-personal information or anonymized personal data for better provision of services to the masses.
How is the bill aiding individual interests
The Data Protection Bill was developed for aiding the individual’s interest as the area has remained unexplored by the existing legislations in India. The European Union’s GDPR also played a role in developing the Data Protection Bill as it was observed that there was no applicability of WhatsApp’s policy changes in the European Union unlikely in India where the same and other companies are able to take advantage of the lack of airtight data protection laws.
With the introduction of the Data Protection Bill, individuals would be able to give consent over the topic of whether their data shall be used or not. This consent would be free, clear, specific, and capable of being withdrawn. There has been a history of evident data leaks such as the data leak at IRCTC where the personal information of millions of Indians was sold on the dark web in 2020. Similarly, the data of 45 lakh passengers were leaked on Air India’s passenger system service provider SITA, including information about their passport and credit card details. Even apps like Truecaller have been looked down upon with sceptical eyes as the Swedish site is found upon investigation, to be a bane for a country like India where privacy is considered to be a fundamental right. This is where the Data Protection Bill acquires importance for the same identifies an individual and their details, including names, addresses, financial information, IP addresses, cookies, and device IDs under the framework.
Impact of the Data Protection Bill, 2019 on businesses if the same would not have been repealed
The functioning of businesses under the Data Protection Bill remains a grey area. The Bill of 2019 had not explicitly mentioned and explained the cross-border information flow and functioning procedure. As of now, the Bill only calls for certain personal information to be localized which again questions whether the same would be enough for data protection and will boost the Indian economy or not.
The 2019 Bill had allowed the data fiduciaries to share non-personal data or anonymized personal data. This may again alter the outcome of how the business performs as the same information can be shared with the competitors who can dominate the market based on the shared data. It is necessary to note that if the Data Protection Bill, 2019 was put into effect, small businesses would have suffered because of the same, as the companies would attract cost and expenditure which could only be afforded by large businesses easily as compared to the small and medium enterprises.
The businesses would also need to invest a bigger chunk on cyber-security, as well as update their cybersecurity policy and practice as it requires businesses to implement reasonable measures to protect consumers’ personal data and privacy against data loss or exposure. The businesses also need to report the data breach to the DPA as soon as possible, being in compliance with the Data Protection Bill, 2019 (if the same was put to effect).
The Data Protection Bill would have further increased the demand for cybersecurity professionals and data protection officers. To address the current skills shortage for cybersecurity professionals and data protection officers, both governments and tech companies need to invest in more cybersecurity training and education programs.
Looking at the bright side, the Data Protection Bill, 2019 would aid in the business functioning as the entities would be able to identify the areas of data necessary for them to keep, maintain, secure and let go of the unnecessary data. Further, the businesses would exactly know the cycle of data utilisation and areas where they need to maintain security measures, if the Bill was not repealed.
Personal Data Protection Bill, 2022
The Ministry of Electronics and Information Technology prepared a new draft of the PDP Bill in 2022 keeping in view the repercussions the 2019 Bill would have entailed if it would have been implemented. Like the 2019 Bill, the PDP Bill, 2022 sets out the rights and duties of the citizens, and the obligations of the data fiduciary to use the collected data in an authorized manner. The new Bill was introduced on the 18th of November, 2022 with the invitation to the public to provide feedback on the Bill by the 17th of December 2022. The key highlights of the 2022 Bill are entailed as follows: –
- Country specification: The Government has the authority to specify the countries to which the data will be transferred. This is in relation to the sending of user data to companies having data servers located abroad.
- Exemption to state agencies: The government can exempt specific state agencies from the protection of proposed law in interest to process data in the name and spirit of national interest.
- Data Protection Board: A Data Protection Board would be set up as per the 2022 Bill which ensures compliances are in check and also hear user complaints. The Central Government would establish the Board by issuing a notification in the same regard. The allocation of work, receipt of complaints, formation of groups for hearing, the pronouncement of decisions, and other functions of the Board shall be digital by design
- Appointment of Data Auditor: There shall be the appointment of a Data Auditor by the Companies of “significant” size, the volume of data they process and other factors. The Data Auditor will work for checking the compliances that need to be followed by the company.
- Pecuniary liability: The Board can charge financial penalties over a data server or data fiduciary for non-compliance with any of the provisions of the then Act. Fines up to 2.5 Billion rupees can be levied as fines for the failure of entities to take reasonable security safeguards to prevent data breaches.
- Children’s safety: The new Bill safeguards children’s interest in the digital era by restricting companies or organizations to process personal data that is likely to cause harm to children. Also, advertising cannot be targeted at children. Parental consent is necessary for connection with minors and children.
- Gender neutrality: Unlike the previous Acts and codes, the PDP Bill 2022 uses ‘she’/’her’ as a general term to depict data users. This shows the intent of the Indian legislature to incorporate more gender-neutral terms and laws in the future.
Opportunities for businesses under the PDP Bill, 2022
The comprehensive data protection regime that the PDP Bill, 2022 brings about, proves to be amenable to businesses in India. Currently, the data protection regime in India is governed by the Security Practices and Procedures, the Sensitive Personal Data or Information 2011 and the Information Technology Act, 2008. With the enactment of the PDP Bill, 2022, there will be several implications for virtually every organisation that has their operations in India. The list of opportunities have been stated hereunder whose taste can be enjoyed only if businesses abide by the compliances listed by the Bill.
Privacy protection
While there remains scope for erasing unnecessary data by the businesses, compliance with the Bill will help businesses safeguard privacy of their customers thereby providing the latter with greater control on their data.
Improved data security
The 2022 Bill establishes stringent criteria required for the implementation of appropriate technical and organisational measures to secure data by data controllers and processors. Compliance with the same can help businesses improve data security thereby building reliance with their customers.
Building trust
The Bill is anticipated to build trust between customers and businesses by giving the former more protection and control over their personal data. This may result in better communication between businesses, their stakeholders and customers.
Boosting the digital economy of new India
The 2022 Bill can promote wider adoption of digital technologies by increasing customer confidence in digital goods and services by guaranteeing personal data protection. This will help businesses flourish better in the Indian market.
Challenges for businesses under the PDP Bill, 2022
The PDP Bill, 2022 welcomes several challenges for businesses operating in India in terms of its compliance. Aligning business processes with the proposed regulations will necessitate new business infrastructure and significant process modifications for many Indian businesses. But one thing is certain that companies, irrespective of their nature, must adhere to four essential procedures to set up a thorough, legally sound data protection policy thereby complying with the new law. It is also necessary to note that technology which makes use of deep learning and AI will be serving as the glue holding everything together.
Maintaining a defensible data inventory
One can only comply with data regulatory mechanisms if they are unaware about where the data lives, who has access to it, and who in the organisation is responsible for it. The Digital Data Protection Bill requires businesses to have in place a rational procedure and an effective mechanism for redressal purposes of customer grievances. It is necessary to note that for organisations to effectively address the grievances in relation to customer data, the requirement of an effective inventory of data which will be residing across departments, in one centralised repository, arises. For organisations which deal with large amounts of data, fulfilling this requirement is difficult without the appropriate technology to ease processes. If the data is not inventoried, owing to its growth over the years, the problem gets worse for businesses handling them. Organisations are able to develop a legally sound data inventory that serves as a guide for meeting compliance requirements, locating existing vulnerabilities, and proving accountability.
Manage data subject access requests
PDP Bill, 2022 requires organisations to provide a summary report of the amount of data processed and what they relate to and make it available for customers to readily access and be aware of their data. The requirement of a defensible data inventory can be felt in this regard for otherwise accessing requests of customers will take up a lot of time. For this reason, business organisations in India require a robust system that can handle request intake thereby accurately authenticating the identity of the person or entity, as well as gather, review, and redact the essential data. Businesses need tech stacks that can access employee data because the new regulation also governs employee data, and they need integrations with HR systems to make sure that employee records are properly kept. Technology makes the process simpler by integrating data deletion requests with other legal requirements and compliance measures.
The new Bill vests the right to request personal data deletion on individuals thereby making organisations liable to do so. The process of data deletion if done manually takes up a lot of time because different departments have to be coordinated simultaneously for smooth functioning of the request. While this takes up an immense time period, an automated mechanism will do thai work fluently in minutes. Thus, organizations require integration of automated tools in their system.
Manage third-party risks
One of the prime risky areas for organisations complying with cybersecurity regulations is third-party. Let us understand how a third party can cause risk to the business organisation alongside its customers, simply. Majority organizations have migrated to the cloud for handling operations. Now, it is necessary to note that cloud solutions often connect to other data sources which are within a business. This signifies that the sensitive business data alongside personal information of the customers means is likely to be accessed by third party vendors. In thai regard, businesses need to understand two important things, namely:
- What type of customer data third parties are accessing?
- Whether the data accessed is being done in a secure manner or not.
It is only with the right uses of technology, that businesses can track vendors’ activities thereby abiding by compliance laid down by regulation and also safeguarding unnecessary infringement of such data in the most unauthorized manner. The new data protection bill lays down the imposition of Rs 250 crore as a deterrent fine on organisations failing to manage third party risks.
Data retention and minimisation
Although reducing data retention is a welcoming approach to create a deterrent against cyberattacks, most businesses actually save more data than is necessary. This problem was addressed in the new data protection bill, which states that organisations should only keep the data they actually need thereby erasing the rest. When an individual’s personal information is no longer needed for the reason for which it was gathered, “a data fiduciary must cease to retain personal data.” Data retention is considered one of the finest ways to counter cyber attack because unnecessary data that is not required by the organisations is protected by being removed and those that are required remains of a significantly lesser amount and is therefore easy to handle.
One must keep in mind that organisations may be forced to decide whether or not to keep certain categories of data they have since there is so much data and many regulatory standards that require compliance. Data minimizations can be an easy procedure if the correct technologies are used to detect if data is subjected to another regulatory requirement, such as a legal hold, or not. Technology can help organisations maintain legal compliance while achieving a balance between data minimization and retention.
Conclusion
Technology that remains up-to-date and satisfies all compliance requirements with regard to data privacy and protection is necessary in the ever-changing legal landscape. Businesses in India have to pull up their socks once the new legislation is implemented for if they don’t, the legislation will backfire their functioning. It may seem difficult to overhaul current procedures for businesses, but with the appropriate tools, they can reduce privacy-related concerns and stay competitive by ensuring their procedures are flexible and scalable.
References
- https://timesofindia.indiatimes.com/blogs/voices/what-indias-proposed-digital-data-protection-bill-means-for-businesses/.
- https://cxovoice.com/indian-digital-personal-data-protection-bill-2022-what-it-means-for-the-business/.
