In December 2019, the Indian government introduced the Personal Data Protection Bill (PDPA) into the parliament. The bill was referred for scrutiny at a joint parliamentary committee that will be publishing a report. And after the committee publishes their findings, a debate on the bill will be held. PDPA is expected to be passed this year since the ruling party has a majority in both houses. Here’s what you need to know about PDPA.
The data protection bill
“The Bill regulates the processing of citizens’ personal data by government, companies incorporated in India, and foreign companies that are dealing with personal data of customers in India. Through the proposed law, the Government of India is rooting for data sovereignty by mandating certain class of data to be stored within Indian borders. The proposed bill also allows the processing of data by fiduciaries with the consent of the individual,” according to CISO Mag.
Fiduciaries refer to entities or individuals who decide the aim of processing private data. The bill is targeted at regulating three kinds of data — personal, sensitive, and critical. Personal data includes those through which a person can be identified. Information like name, address, phone number, photos, online search history, food preferences, etc., come under this category.
Sensitive personal data includes things like financial information, healthcare data, biometrics, sexual preferences, caste, political beliefs, and so on. The government is yet to define what critical personal data involves.
As far as Indian citizens are concerned, PDPA provides the highest level of protection to their personal data. An entity cannot collect, process, and share such data without the express consent of the individual. Even then, the collected data can only be used for fulfilling pre-defined objectives. The companies are required to reveal how long the data of an individual will be retained. Citizens have the right to move their personal data from one service provider to another.
The bill also allows for the establishment of a Data Protection Authority that will be tasked with ensuring that everyone is complying with the provisions of the bill and offer further guidelines on how to process personal data. “The Authority will be comprised of members with expertise in fields such as data protection and information technology. Any individual, who is not satisfied with the grievance redressal by the data fiduciary can file a complaint to the Authority. Orders of the Authority can be appealed to an Appellate Tribunal. Appeals from the Tribunal will go to the Supreme Court,” according to PRS India.
Impact on companies
Once the bill is passed into law, companies will have to overhaul their operations and restructure their business practices to comply with the proposed ways of using and managing data. As the bill will only come into effect in multiple phases, the time required for companies to comply with it will depend on multiple factors like the amount of data they are collecting, the complexity of data flows, the number of countries they are operational, and so on. For now, there is nothing much the companies can do.
“Companies can start thinking about and considering the Bill, but they can’t do much until the delegated legislation under it emerges. The Bill is strictly principle-based and companies don’t exactly know how to begin compliance. The practice-related aspects on how to locate data in certain jurisdictions, the compliance processes for data collecting, processing, storing, etc., how verifications would be operationalized will only become clear later,” according to Medianama.
The bill also proposes that all non-personal data of a company can be taken over by the government. As an example, it has been argued that just as oil found in private land is not exactly private but belongs to the state, similarly, the non-personal data of a company belongs to the government and the state can gain access to it whenever it wants.