India’s Journey to Personal Data Protection and Data Privacy Law
5 min read
By: Shushant Jha
The Personal Data Protection landscape in developing countries
Traditionally, personal data has been one of the most understated and undervalued assets in most parts of the developing world. Many uninformed customers don’t even think twice before sharing their personal data through mobile applications or the websites of various organisations to avail services. Certain organisations have been using consumer’s one-liner obscure consent as the lifetime approval to use the personal data in more than the implied way—sometimes legitimate and sometimes knowingly or unknowingly illegitimate. Such datasets are getting shared across organisations and individuals without any control or governance mechanism. Fortunately, governments are stepping in to protect the rights of the legitimate data owners—better late than never. In order to democratise data for leveraging it for research, economic growth, and other purposes which can benefit the society in the long run, it is of paramount importance that we have a Data Governing policy right up front before the problem becomes unmanageable.
India mooting GDPR-type law
Following in the footsteps of the EU-GDPR initiative, in the mid-2017, the Government of India appointed Justice BN Srikrishna, a former judge of the Supreme Court of India, to head a committee of experts brought together to create the legal framework for data protection and data privacy in India. The mandate given by the government to the committee was “to make specific suggestions for consideration of the Central Government on principles to be considered for data protection in India and suggest a draft data protection bill.”
A year after its appointment, the Justice BN Srikrishna committee submitted its 200+ page report on data protection, titled “A Free and Fair Digital Economy – Protecting Privacy, Empowering Indians.” The report also contained a draft of “The Personal Data Protection Bill 2018” (The PDP Bill). Early this year, the European Parliament and the Council of European Union enforced “General Data Protection Regulation” (GDPR), which has been the core point of discussion about data protection and privacy. The Justice BN Srikrishna committee took note of this in its report, and the proposed bill does reflect some of this inspiration from the GDPR regulation.
What does the proposed India PDP bill say and what does it means for you?
The Personal Data Protection Bill is a commendable step towards data protection in general and is very much needed at this time, especially when considering the contribution to global internet traffic from Indian territory. While it is essential to have a Data Regulation policy to protect the rights of the real owners of personal data, we also need to maintain an environment where such data can be used with proper consents for the benefit of industry, governments, and society as a whole. Most of the measures required to comply with the proposed policy can be handled through technology, while few points may need a reconsideration of some recommendations before finalising the bill. The draft bill in its present form may also bring in changes for the internet service providers or any service providers over the internet because the draft suggests enforcing certain mandatory provisions that have not only financial implications but also a significant effect on business models and modus operandi of such internet-based service providers.
Notable points from the Personal Data Protection Bill of 2018
The following are salient points of the committee report that concern the industry and may need more profound debate before finalising the Bill, inter alia:
The definition of data is too wide, and it may become a tool for the authorities to control data/information availability over the internet.
Section 2(12): “Data means and includes a representation of information, facts, concepts, opinions, or instructions in a manner suitable for communication, interpretation, or processing by humans or by automated means.”
Data localisation mandates at least one active copy of the data to be stored physically in India. In the age of cloud-based infrastructure, this means every cloud provider must set up at least one cloud pod operating from India for every service delivered to users in India.
Section 40(1) says: “Every data fiduciary shall ensure the storage, on a server or data centre located in India, of at least one serving copy of personal data to which this Act applies.”
There is a restriction on data collection and processing without clear and specific consent. This bars any use of personal data, for a purpose that is conceived post data collection, unless explicit consent is acquired.
Section 5(1) states: “Personal data shall be processed only for purposes that are clear, specific and lawful.”
The Bill grants approval to governments to collect and process personal data for “functions of the state,” and “functions of the state” has not been defined in the bill.
Section 13 states: “Personal data may be processed if such processing is necessary for any function of Parliament or any State Legislature.
Nevertheless, on the positive side, something unprecedented that this draft bill provides is the “right to be forgotten.” Section 27 of the bill provides for various implicit and explicit events when the “right to be forgotten” comes into play, and such a right can be enforced by approaching an adjudicating officer for the concerned data fiduciary. For medium to large Indian organisations, the challenge will be to trace every bit of data and its metadata of the subject (citizen) and then take action on it.
What role can technology play?
The good news, from a technological landscape perspective, is that there are several artificial intelligence (AI) and machine learning (ML) based “commercial off-the-shelf” tools and solutions available to help quickly comply with the proposed guidelines that are part of this PDP Bill 2018. However, there is no AI without making data simple and accessible, and perhaps an enterprise-wide data dictionary could provide a good starting point. This will enable people at every echelon in an organisation to refer to a single definition of data. Once data becomes accessible and straightforward, strategy and operations could work hand-in-hand in creating a more transparent and trustworthy organisation. One of the outcomes could be providing a detailed, yet decipherable, definition of the possible usage of subject (citizen) data for multichannel campaigns, which will help organisations to comply with the PDP.
AI and ML tools can also automate mapping of the new laws enacted by the legislature to the business glossary of an enterprise. What used to be achieved manually and could take months to accomplish with all possibilities of human error can now be done in a matter of days. These tools also facilitate tasks which were not possible earlier, like an automatic alert on parts of the law, rule, by-law, etc. where the enterprise may be violating on an ongoing basis, mainly since amendments to the law is also an ongoing activity of the government machinery.
IBM’s Point of View
A recommended best practice from IBM would be to put in place a strategic “Data Governance” platform, both to accelerate readiness and compliance with data privacy laws and to sustain it on an ongoing basis. Needless to say, smart organisations will not take much time to recognise this as an opportunity to use PDP as a vehicle for setting up an enterprise-wide data governance platform and use it as a differentiator to assure their customers that they are using ethical business practices. In the future, this very platform could be the difference between winners and losers as it will be the source of sustainable competitive advantage.
We urge you to review IBM’s journey to GDPR compliance, where we share our organisational program of change, prioritized work streams of activity, and the standard privacy methodology used both internally and with all client engagements. Are you contemplating taking next steps? Start today!