The new Indian Data Privacy Bill & its impact on business
By Dr. Vinod Surana
Data is a collection of names, numbers, dates, measurements formatted to be machine readable. Data is responsible for boosting a company’s revenue, building target audience as well as modifying their products or services to meet demands. Several sources predict exponential growth where size of data doubles every two years. The growth rate has multiplied from two zettabytes in 2010 to 59 zettabytes in 2020. It is forecasted to go beyond 149 zettabytes in the next four years (Statista, 2020). Organisations collect data from customers in several ways, and the data obtained contains personal identifying information including full names, contact details, preferences, location etc.
For example, Facebook collects data from its users by accessing their contact details, gallery (videos and images), geolocation (including check-ins) and browser history (cookies). It identifies your search patterns and targets advertisements based on your preferences. Companies like Amazon, Google Pay, Paytm collect transactional data including credit card information to fine-tune user experience. Majority of the big organisations like Google, Microsoft, Amazon use Big Data (Bruno Aziza, 2018; Moses Bassey, 2018) to customise their recommendation engines. This allows insight into customer preferences, and by synchronising what their user wants and what the e-commerce portals can offer, they streamline their business dynamics (Bernard Marr, 2020).
Each privacy breach significantly heightens public concern over privacy. Breaches compromise data of millions and negatively impacts those whose data is misused or exposed. (figure 1) (Miriam Quick, Ella Hollowood, Christian Miles, 2020).
Adobe was listed amongst the biggest data breaches of the 21st century where user records of 153 million accounts were stolen amongst which nearly 3 million accounts had encrypted credit card records as well as login credentials. Weeks after the incident, hackers exposed customer names, ID’s and transactional data in 2013 (Nico Grant, 2019). Similarly, Adult Friend Finder (provider of adult content websites and intended for casual hook-ups) exposed 412.2 million user accounts from twenty years in six databases, including usernames, email addresses and passwords in 2016. Other historically disruptive data breaches include Canva, eBay, LinkedIn, Yahoo and Marriott International (Dan Swinhoe, 2020) (Verizon, 2020).
The famous security lapse of India’s National Identification system involved data exposure of1 billion residents’ personal identifying information from one of the world’s largest databases for merely 500 INR.
The alarming rate at which individuals lost finances, security information and identity led to countermeasures. As organisations pave their way towards digitalisation and big data, measures to monitor and protect the data is their responsibility. Across the Europe Union, the General Data Protection Regulation (GDPR) requires businesses protect privacy and personal data of EU citizens (GDPR Associates). If companies fail to adhere to the regulations, then hefty penalties are levied (Michael Nadeau, 2020). Failure to adhere to the regulations warrants hefty penalties.
Following the framework of GDPR, India took its first step towards the draft of Personal Data Protection Bill on 27th July 2018 led by Justice B.N Srikrishna. The draft regulated the processing of individuals’ personal data by government and private entities who access, use and store information. The bill aims to regulate individual rights by granting users full control over their personal data and ensuring companies adhere to highest level of data protection.
The 2019 Bill was introduced by the Ministry of Electronics and Information Technology in the Lok Sabha on 11th December 2019 by Mr. Ravishankar Prasad following the 2018 draft. The bill has been referred to a Joint Parliamentary Committee for review. The following key notes form the basis of the 2019 Bill.
- To provide for protection of the privacy of individuals relating to their personal data,
- To specify the flow and usage of personal data,
- To create a relationship of trust between persons and entities processing the personal data,
- To protect the rights of individuals whose personal data are processed,
- To create a framework for organizational and technical measures in processing of data,
- Laying down norms for social media intermediaries, cross border transfer
- Accountability of entities processing personal data,
- Remedies for unauthorised and harmful processing, and
- To establish a Data Protection Authority of India for the matters concerning data privacy.
The right to privacy as a fundamental right underlies the 2019 Bill. The growth of the digital economy increasing data usage as a means of critical communication between individuals necessitates creating a free and fair digital environment which respects informational privacy. The Central Government is currently the Data Protection Authority of India.
The Act applies to the processing of personal data that is collected, disclosed, shared or processed within the territory of Indiaas well as to processing of personal data by the State, Indian company, any citizen of India or anybody incorporated under the Indian law. It additionally applies to processing of personal data by data fiduciaries not present within the territory of India if the processing is in connection with any business carried out within India or is in connection with any activity that involves profiling of data principles within India. This Act shall not apply to the processing of anonymized data other than those mentioned in section 91.
Personal data may be processed for performance of any function of the state authorized by law for public interest or if processing is necessary for recruitment, termination or assessment of employment of an individual by the data fiduciary or other reasonable purposes mentioned from 12-15 subsections of the Bill, 2019. Examples of reasonable purposes include fraud, whistle blowing, mergers and acquisitions, recovery of debt etc.
Personal data of children can be processed if it is in the best interests of the child and manners in which it protects the rights of the child. For such authorization, it is mandatory to verify the age and obtain consent of his parents or guardian.
Every data fiduciary is required to appoint a Data Protection Officer to act as the focal point of contact in matters relating to the fulfilment of obligations under this act (Bill 373, 2019). He will be the point of contact allying with the data principle for the purpose of grievance redressal in a speedy manner.
The Act prohibits the transfer of sensitive and critical personal data outside India. It may be transferred in case of explicit consent by the data principle with a copy remaining in the data centre within the territory of India (Bill 373, 2019). Data fiduciary is liable for any offences or any harm caused due to non-compliance of the provisions by such transfer. There may be exemptions where the Central Government is satisfied in the interest of sovereignty and integrity of India or to prevent any cognizable offence laid out in section 2 of the Code of Criminal Procedure, 1973. Other exemptions include processing necessary for research, archival or for statistical purposes (Bill 373, 2019).
A sandbox, or testing environment, my be created for purposes relating to innovation in Artificial Intelligence, machine-learning, or other emerging technologies that uphold public interest. (Angelina Talukdar, 2020).
The penalties range from five crore rupees or two percent of total worldwide turnover of the preceding financial year to fifteen crores or four percent of the worldwide turnover (whichever is higher) for data fiduciaries who contravene the obligations mentioned in the act. Failure to comply with requests from data principle is liable to a penalty of five thousand rupees per day when the default continues to a maximum of ten lakh rupees (Chapter X, Bill 373)
The Bill 2019 is likely to impact the way digital businesses operate in India. The e-commerce market in India is expected to grow from 38 billion USD (2017) to 200 billion USD by 2026 which is precedent to the increase in internet availability and ease of using smartphones. Consequently, the roads for foreign trade and multinational companies will open. The Bill is likely to impact several business entities.
They will be obligated to inform users the purpose for which they wish to collect data and yield consent. As a result, companies are also obliged to provide blueprints determining their data process and protection measures. There are several limitations laid out with respect to processing of personal data:
– No personal data shall be processed by any person except for a specific, clear and lawful purpose.
The broad inclusions within the definitions of sensitive personal data and critical personal data like passwords and transactional data are not included in the international data protection laws. Foreign companies will face difficulties to meet the new compliance demands and may also hinder trade and the process of transferring personal data across jurisdictions.
– Processing of personal data shall be in fair and a rational manner to ensure the privacy and for the purpose it was consented to.
– Collection of personal data should be limited to the extent of purpose.
– Data fiduciaries are required to give data principle a notice at the time of collection of personal data.
The notice must contain data collection purpose, nature and categories of personal data being collected, identity and contact details of the fiduciary as well as the data protection officer, the right of the data principle to withdraw consent as well as the procedure. If the data is not collected from the individual, then the source of collection is required and the basis for such processing. Moreover, the procedure for grievance redressal and the right to file complaints to the authority or any other information as specified by regulations must be incorporated.
– Data fiduciaries are required to take responsibility to ensure that the personal data processed is complete, accurate, updated and devoid of any loopholes with regards to the intent of such processing.
This brings excessive liabilities to the data fiduciary (of these companies) as they will have to pay hefty compensations in case of any contravention or an offence. the burden of proof to prove that consent has been taken lawfully from individuals will be on the fiduciary.
– The data must not be retained beyond a period longer than specified or as satisfied by the purpose followed by deletion of such data at the end of processing.
– The personal data must not be processed with an exception if the individual has consented at the commencement of its processing.
– The consent must be free, informed, specific, clear and capable of being withdrawn at ease.
The compliance costs is predicted to increase following the clause on periodic review, maintenance of records and the costs incurred due to the appointment of a Data Protection Officer. Operational costs are likewise projected to increase as companies face stricter stipulations to be able to work in the Indian market. Updating internal breach notification procedures, alongside procedural and technical implementations to avoid misuse of data will add significant costs.
Cross-border transfers will face ramifications due to the restrictions of data localisation where the fiduciary has to store one serving copy of the personal data on a server or a data centre within the territory of India (Angelina Talukdar, 2020; Indus Law, 2018; Palak Agrawal, 2020; Suneeth Katarki et al., 2020; Var India, 2019). Companies like Facebook, WhatsApp (Council on Foreign Relations, 2018), Amazon, Microsoft will have to host their data in India too. It will affect the overall ease of doing business for global entities making a move in the Indian market.
Sandboxing is introduced in light of public interest in encouraging research and innovation in areas of AI, machine learning, and other technological advances. Sandboxing terms should not exceed twelve months with possibility to renew the window twice (i.e., a max of 36 months). Projects that remain incomplete within this window will incur additional costs and renewal procedures, with extensions in duration also adversely impacting data protection.
Unlike the GDPR which has uniform application of the law, the Bill exempts government bodies. The 2019 Bill grants the Central Government power to exempt any governmental agency from the application of the act, opening the door for misinterpretation and misuse of the law. Will the regulations differ for the data fiduciaries with the Telecom Regulatory Authority of India’s (TRAI) release of recommendations? These revolve around the dynamics of privacy, security and ownership of data in the Telecom sector.
The law remains unclear in its approach and specificities; however, the underlying objective to protect individuals’ data drives this legislative area. Individuals’ consent will be deemed necessary with potential to withdraw consent. Data fiduciaries have high responsibilities in protecting sensitive data from exposure, misuse, or being stolen. With curbing of the internet a seeming non-possibility, measures taken by fiduciaries and the Indian Government seem to be requisite in addressing data privacy.
Inclusion of governmental entities must be considered to safeguard national security breaches. Exemption of governmental entities may allow improper leeway for interference in citizens’ lives. Amendments to the 2019 Bill in accordance with International data protection laws may be useful for long term privacy protection. International companies will have to step up to handle data whilst operating in India. While a step up from the 2018 draft, the 2019 Bill requires restructuring to identify and address significant data threats.
Angelina Talukdar (2020) Key Features Of The Personal Data Protection Bill, 2019 , Mondaq, LexOrbis, Available at: https://www.mondaq.com/india/data-protection/904330/key-features-of-the-personal-data-protection-bill-2019?login=true (Accessed: 13 November 2020).
Bernard Marr (2020) Amazon: Using Big Data to understand customers., Intelligent Business Performance Available at: https://www.bernardmarr.com/default.asp?contentID=712 (Accessed: 13 November 2020).
Bill 373 (2019) THE PERSONAL DATA PROTECTION BILL, 2019. Government of India, India Available at: http://126.96.36.199/BillsTexts/LSBillTexts/Asintroduced/373_2019_LS_Eng.pdf (Accessed: 13 November 2020).
Bruno Aziza (2018) Big Data: Amazon, Google, Microsoft, The Cloud And Other 2018 Trends., Forbes Available at: https://www.forbes.com/sites/ciocentral/2018/01/08/big-data-amazon-google-microsoft-the-cloud-and-other-2018-trends/?sh=687b62b72ba1 (Accessed: 13 November 2020).
Council on Foreign Relations (2018) Three Problems with India’s Draft Data Protection Bill., Council on Foreign Relations Available at: https://www.cfr.org/blog/three-problems-indias-draft-data-protection-bill (Accessed: 13 November 2020).
Dan Swinhoe (2020) The 15 biggest data breaches of the 21st century | CSO Online., CSO India Available at: https://www.csoonline.com/article/2130877/the-biggest-data-breaches-of-the-21st-century.html (Accessed: 13 November 2020).
GDPR Associates (no date) Why is GDPR So Important?., GDPR Associates Available at: https://www.gdpr.associates/why-is-gdpr-so-important/ (Accessed: 13 November 2020).
Indus Law (2018) THE PERSONAL DATA PROTECTION BILL, 2018., Indus Law Available at: https://induslaw.com/app/webroot/publications/pdf/alerts-2018/Personal_Data_Protection_Bill_2018.pdf (Accessed: 13 November 2020).
Michael Nadeau (2020) What is the GDPR, its requirements and facts? | CSO Online., CSO India Available at: https://www.csoonline.com/article/3202771/general-data-protection-regulation-gdpr-requirements-deadlines-and-facts.html (Accessed: 13 November 2020).
Miriam Quick, Ella Hollowood, Christian Miles, D.H. (2020) ‘World’s Biggest Data Breaches & Hacks’, Information is Beautiful, , pp. 1–5. Available at: https://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/ (Accessed: 13 November 2020).
Moses Bassey (2018) Facebook, Google & Microsoft: Masters of “Big Data” | by Moses Bassey | Medium., Medium.com Available at: https://medium.com/@mosesbasseyekwere/facebook-google-microsoft-masters-of-big-data-8c8e0942f8d (Accessed: 13 November 2020).
Nico Grant (2019) Adobe Exposed Data of More Than 7 Million Software Users – Bloomberg., Bloomberg Available at: https://www.bloomberg.com/news/articles/2019-10-25/adobe-exposed-data-of-more-than-7-million-software-users (Accessed: 13 November 2020).
Palak Agrawal (2020) Personal Data Protection Bill 2019: If You Run A Company, Know How It Is Going To Affect You., The Logical Indian Available at: https://thelogicalindian.com/news/data-protection-bill-impact-on-companies-19981 (Accessed: 13 November 2020).
Statista (2020) Total data volume worldwide 2010-2024., Statista Available at: https://www.statista.com/statistics/871513/worldwide-data-created/ (Accessed: 13 November 2020).
Suneeth Katarki, Namita Viswanath, Ivana Chatterjee and Rithika Reddy Varanasi (2020) The Personal Data Protection Bill, 2019: Key Changes And Analysis, Mondaq, Indus Law, Available at: https://www.mondaq.com/india/privacy-protection/880200/the-personal-data-protection-bill-2019-key-changes-and-analysis (Accessed: 13 November 2020).
Var India (2019) Mozilla highlights pros and cons of revised Personal Data Protection Bill., Varindia Available at: https://varindia.com/news/mozilla-highlights-pros-and-cons-of-revised-personal-data-protection-bill (Accessed: 13 November 2020).
Verizon (2020) Data Breach Investigations Report. Available at: https://enterprise.verizon.com/resources/reports/2020-data-breach-investigations-report.pdf (Accessed: 1 August 2020).