The pace of digitisation fueled by demand for digital transformation in the corporate ecosystem as well as government services is exponentially increasing the generation and collection of personal data. The usage of elements like big data, analytics, etc. enables to know more about individual’s preference and online behavioural patterns which can be harnessed for a targeted commercial campaign. Currently, in India, the protection of personal data seems more voluntary than mandatory in the absence of structured data privacy law. A country amongst the top three for the highest number of internet users, the need for an appropriate privacy legal framework becomes critical.

With the amount of personal data being shared by citizens directly or indirectly with various entities, it has become extremely crucial to ensure that individual users have autonomy and control over their personal data in the digital economy. Our Indian Government has also understood the need for a strong and structured privacy regime to govern the processing of personal data by introducing the Draft Personal Data Protection Bill (PDPB), which is under consideration and review by Joint Parliamentary Committee (JPC).

The PDPB 2019, was introduced in the Indian Parliament in December 2019 and is currently undergoing analysis by JPC. The JPC has recommended that the ambit of the Bill needs to be expanded to focus more on the digitisation and localisation of data. JPC also wants the final Bill may also cover nonpersonal data (not merely securing personal data), which includes sensitive and critical data.

Draft PDPB covered the data privacy of personal data of individuals across the data life cycle that includes collection, transfer, process, disclosure and disposal. Draft PDPB has few elements which are similar to other leading global data protection regulations like the EU’s General Data Protection Regulation (GDPR). Draft PDPB also covers the obligations of the data fiduciary such as lawfulness in processing the personal data, purpose limitation, collection limitation, storage limitation, quality of personal data, etc.

The draft PDPB in the present state also outlines provisions of tough penalties in response to data security breaches. The draft law calls for data fiduciaries to proactively develop a privacy strategy to address privacy obligations and shift the way they approach data privacy. The data fiduciaries will have to establish organization-wide privacy responsibility and accountability for data privacy and might even warrant revamp of few business processes to streamline their data visibility.

The draft PDPB has the following key areas that have been covered as part of the framework which should support India with a robust privacy structure.

Significant Data Fiduciary

– Under this bill, some of the fiduciary will be classified as significant data fiduciary based on the parameters like volume and sensitivity of personal data processed, turnover of the data fiduciary, risk of harm by processing the personal data, etc. These entities need to have implemented additional controls such as the appointment of a Data protection officer and perform data protection impact assessment.

Consent Manager – Consent managers are defined as a data fiduciary under the bill which enables data principals to gain, withdraw, review and manage their consent through an accessible, transparent and interoperable platform. This provision will help to manage the consent of the data principal in a centralised manner.

The draft PDPB also has some restrictions around cross borer data transfer of critical personal data but the bill is yet to provide explicit clarity around the definition of the same. Further, some of the areas of the draft bill such as data categories definition under critical data, declaration for data fiduciaries as a significant data fiduciary, data breach notification timeline, etc. would have a dependency on data protection authority. Few operational pieces like privacy notice for a multilingual country like ours would pose constraints for the implementation.

The privacy laws have been around for a fairly long time in the case of developed regions (i.e. Australia, Canada and Europe), and whereas among the developing countries (i.e. Brazil), in recent times there is a rising tide for the adoption of privacy regulations to protect the personal data of their citizens. While the law might undergo amendment for further improvisation, it is essential to ensure the protection of personal data of Indian Citizens in the digitised world by establishing a stronger privacy regime through the forthcoming Personal Data Protection Bill.

—Vidur Gupta, Partner, Data Privacy, EY India. The views expressed are personal

(Edited by : Ajay Vaishnav)

First Published:Apr 2, 2021 4:07 PM IST