Data Protection Bill raises confusion and controversy
India’s Union Minister of Electronics and Information Technology, Ravi Shankar Prasad, has announced that the bill regarding Data Protection has been finalised. The bill is expected to be heard in the Indian Parliament in June.
In its current form, the bill has raised considerable confusion, as there is concern among Indian boards of directors that it will slow the progress of the country’s IT industry.
The law will not, however, affect overall data processing, including that of Big Data, in any way, cautioned S. Gopalakrishnan, Joint Secretary, Ministry of Electronics and Information Technology, on April 8, 2019.
“The government will ensure that the law does not become an ‘unintended barrier’ to India’s growth in digital economy. The core focus of the bill is on the individual and how to protect his or her privacy based on consent. Anything else is irrelevant,” the official explained.
So reports that companies will be obliged to remake their entire data processing operations are entirely false. “Countries from across the world are coming to do business in India and vice versa. If too many speed breakers are put in place, it would make difficult to extract data,” Gopalakrishnan added.
Data Protection Bill is similar to GDPR
The Indian Supreme Court’s recognition of the ‘right to privacy’ as a fundamental right under the Constitution of India in August 2017.
The next step was the Data Protection Bill which was proposed in the same year. “The bill, which runs into 112 sections, comes with its own challenges and ambiguities,” says a report by PwC and The Associated Chambers of Commerce and Industry of India (Assocham).
The bill will be applicable to all organisations based in India, and to those who make use of personal data from India wherever they may be in the world – these are defined as ‘data fiduciaries.’
“The bill, in this way, is a positive step in ensuring that a level playing field is established for Indian corporations as well as multinationals wanting to do business in India under the same privacy jurisdiction,” the report says. “It is in line with regulations that are currently prevalent, such as the EU’s General Data Protection Regulation (GDPR, (EU) 2016/679). It touches upon almost all the domains of personal data privacy such as collection limitation, fair and lawful processing, notices/consents, data subject rights, privacy by design, security safeguards, transfer of personal data, penalties, data quality, privacy incidents or breaches and children’s privacy. The bill has also identified the supporting regulatory and administrative framework for enabling the enforcement of its roll-out,” the report continues.
Penalties for non-compliance are severe
As the bill states:
“ Where the data fiduciary contravenes any of the following provisions, it shall be liable to a penalty which may extend up to five crore rupees (50 million rupees) ($7.51 million) or two per cent of its total worldwide turnover of the preceding financial year, whichever is higher, as applicable—
(a) obligation to take prompt and appropriate action in response to a data security breach under section 32 of this Act;
(b) obligation to undertake a data protection impact assessment by a significant data fiduciary under section 33 of this Act;
(c) obligation to conduct a data audit by a significant data fiduciary under section 35 of this Act;
(d) appointment of a data protection officer by a significant data fiduciary under section 36 of this Act;
(e) failure to register with the Authority under sub-section (2) of section 38.”
Data Protection Bill Challenges and Ambiguities
But the bill comes “with its own challenges and ambiguities” as the PwC-Assocham report puts it.
The Data Localisation provisions pose a very controversial challenge. The bill requires that one copy of all personal data to which the law applies be stored on a server located in India. The bill also gives the Indian government the authority to classify information as “critical personal data,” which may only be stored within India.
“It is significant that this would broadly apply to any data, ‘collected, disclosed, shared, or otherwise processed within the territory of India,’ meaning, for example that it could capture all personal data provided by foreign entities to Indian IT companies for processing, even if such foreign entities do not process Indian citizens’ data,” as law firm WilmerHale points out.
There has been much objection to this provision, for example, the Indian IT sector’s trade association, NASSCOM, has criticised this provision, raising concerns that the “mandated localisation of all personal data… is likely to become a trade barrier” within India, disproportionately impacting smaller companies and start-ups.”
Provisions on anonymisation pose ambiguities
Then the provisions on anonymisation pose ambiguities. “The proposed bill explicitly states that it will not apply to the processing of anonymised data. However, organisations are required to apply the standards specified by the Data Protection Authority (DPA) for anonymisation. The exclusion of anonymised data will considerably bring down the obligations on entities (both in the private and public sector). In order to prevent harm to specific groups of individuals, the limitation of processing and publishing analysis of anonymised data should be evolved,” comments PwC-Assocham.
Legal experts also complain that the bill creates a regulatory challenge: The Data Protection Authority that will enforce the law is not sufficiently independent.
“The central government has significant control over the regulatory regime, and it is vulnerable to capture by industry,” warns Chinmayi Arun, assistant professor of Law at the National Law University in New Delhi.
“The draft bill gives the central government the power to appoint members of the data protection authority upon the recommendation of an outside committee. The appointment is for a term of five years, which seems much too short to give a new institution sufficient time to learn the ropes and gain the independence it needs to be an effective regulator. The central government also has the ability to remove members of the authority for reasons specified in the law.”
What boards of directors need to consider
The upcoming Indian Data Protection Law will place a heavy governance burden on boards who must implement compliance and make security improvements. Managing this requires both a reference source for good governance, and background on security protections. Diligent Governance Cloud, with its library of Diligent Insights and wealth of background material, along with its ability to accelerate discussions among board members and experts, can be a powerful tool to speed this implementation.
Diligent Governance Cloud: A reliable tool for achieving compliance
The Governance Cloud, the only integrated enterprise governance management solution that enables organisations to achieve best-in-class governance, is an ecosystem of software tools that digitises the various activities and tasks for the board of directors. As organisations grow more complex and regulations more stringent, the scope of governance responsibilities evolves. The Governance Cloud allows boards of directors to meet the demands in the boardroom and beyond with the ability to select the products they need that help them perform their best and work within their allotted budgets.
April 16, 2021
Top Trends in Governance, Risk and Compliance for 2021
“You need a good [GRC] system. You need the right data. You need to share the data and take those organisational learnings.” -Zeke Ward, Founder, North Star Compliance Over the past year, companies across industries have navigated diversity, equity and inclusion issues, managed intensifying…
January 29, 2021
Business Continuity Strategy: Options, Best Practice Approaches and Examples
There’s no shortage of things to consider when you’re upgrading your business continuity strategy. For instance: What should your plan cover? What are the critical inputs to the business continuity strategy? What are the different approaches and solutions available? What should the recovery strategies look like within your business…
November 30, 2020
Experts agree: Governance is the best crisis strategy
Your best defence against a crisis is good governance. Whether it’s a global pandemic, a change in senior management or the complexities of running an international organisation, governance provides ‘handrails’ to keep your organisation upright and on-track. This consensus was the unanimous conclusion of the speakers at a recent Diligent…