India currently lacks a comprehensive data protection law. In light of the growing importance of technology-based enterprises, the Indian Parliament undertook a process to develop the country’s data protection regime.
On 11 December 2019, the Ministry of Electronics and Information Technology (MeitY) submitted the draught Personal Data Protection Bill, 2019 (PDP Bill) to Parliament, which was recommended for further consideration to a Joint Parliamentary Committee (JPC).
Following talks with stakeholders, the JPC issued its findings and the finalized Data Protection Bill 2021 on 16 December 2021. (DP Bill).
The DP Bill applies to personal data that has been acquired, disclosed, exchanged, or otherwise processed in India, as well as to personal data handled by the State or State organizations, Indian corporate entities, and Indian nationals.
Personal data is defined as information about or pertaining to an identifiable natural person, whether directly or indirectly, based on one or more characteristics of their identity (whether virtual or physical), and also includes inferences generated from such data for the purpose of profiling.
Sensitive personal data is also recognized as a distinct kind of data in the DP Bill and is subject to heightened criteria.
Sensitive personal data includes information that reveals, is associated with, or constitutes financial data, health data, official identifiers, sexual life and sexual orientation, biometric data, genetic data, transgender status, intersex status, caste or tribe, religious, political belief or affiliation, and any other category as may be notified. In the DP Bill, the word ‘financial data’ is defined strictly.
Financial data are defined in Section 3(21) as any number or other personal data used to identify I an account created by a data fiduciary or (ii) a card or other payment instrument provided by a financial institution.
Additionally, it comprises information about the connection between a financial institution and a data principle, such as financial and credit status. Other sorts of data, such as account statements, information about other financial products, and investment information, are not considered financial data.
The DP Bill also applies to companies headquartered outside India that process personal data in connection with any business or activity that involves supplying goods or services to persons located in India or profiling data subjects located in India.
However, such action must be directed exclusively towards Indian people and must not be incidental to the provision of goods or services.
Additionally, the DP Bill empowers the Central Government to exempt from the Bill’s provisions the processing of personal data of data principals located outside the Indian territory, pursuant to a contract entered into with any person/company incorporated outside India by any data processor incorporated under Indian law.
In a change from earlier draughts of this law, the DP Bill includes non-personal data in its scope. Non-personal data is defined as any data that is not personal data. This may include data that has been anonymized (personal data which has undergone anonymization).
Anonymization is described as an irreversible process of altering or converting personal data in such a way that the data subject cannot be recognized, in accordance with the Data Protection Authority’s rules of irreversibility (DPA).
As a result, unless the DPA establishes a technological barrier for anonymization, it will be impossible to define what constitutes anonymized data categorically.
Unlike in the case of personal data, the DP Bill makes no mention of territorial limitations on the applicability of its provisions in the case of non-personal data.
However, the present draught provisions control such data only in terms of data breaches and the Central Government’s power to order data fiduciaries and processors to produce such data for targeted service delivery or evidence-based policy formation.
WHAT EFFECT WILL THE PDP HAVE ON BUSINESSES?
The PDP Bill should have a negligible impact on foreign enterprises that currently comply with standards such as the GDPR. India’s government have made a deliberate effort to prevent excessive localization.
Compliance with the PDP criteria brings Indian-based businesses into line with international data protection best practices. Nonetheless, all businesses must be aware of some national aspects of the regulation.
The first criterion is for independent audits to be approved by the DPA. While it is not yet apparent which firms would be required to comply, it is probable that bigger organizations and those that process vast numbers of data will be required to do so.
Second, data localization standards state that either a copy of the data be retained in India or that it does not leave the country at all, in the case of vital data. These regulations should become apparent as the PDP Bill’s implementation date approaches.
Additionally, social media businesses would be required to adhere to a condition requiring users to authenticate their identities. Again, the precise manner in which this phrase will operate is unknown.
“On a positive note, IT and social media behemoths would now have the confidence to host their worldwide services in India rather than elsewhere,” observes Qualys’ Deepak Naik.
“They will be able to implement a compliance structure that is comparable to or identical to that of the nations served.”
WHAT STEPS MAY BUSINESSES TAKE TO GUARANTEE COMPLIANCE?
Compliance will be contingent upon enterprises being aware of their applications and information technology systems, as well as the locations and purposes for which they gather and handle data.
“To do this, businesses must understand their whole infrastructure, be able to specify their security installations, and maintain that infrastructure over time,” says Deepak Naik of Qualys.
RV Raghu, an ISACA specialist, concurs.
“Businesses must begin with the fundamentals, such as understanding what data is being gathered and why, how it is being processed, and who has access to it,” he adds.
COMPLIANCE INVOLVES A COORDINATED EFFORT OF PEOPLE, PROCESSES, AND TECHNOLOGY
Finally, in today’s highly regulated data environment, firms in India must adopt and implement an effective compliance plan, as those that do will surely profit from favorable commercial advantages. Those with poor levels of data privacy protection and use of data governance tools must adapt swiftly.
However, more broadly, businesses must improve their visibility of their data before they can claim compliance with applicable data protection rules.
By implementing a tiered approach to data security and focusing on people, processes, and technology, Indian firms can confidently embrace the new PDP Bill and, if compliant, can consider it as a competitive advantage.
Published By : Chittajallu H S Kumar
Edited By: Kiran Maharana