On its way to becoming a US$5 trillion economy with nearly 500 million web users, India is second only to China as the largest online market in the world. Increased net penetration, exponential increases in web and app-based business models and ease of launching startups has made the country a crucial jurisdiction for personal data protection and handling.
The government recently approved the Personal Data Protection bill, clearing the way for its passage through parliament before being notified and brought into effect. When the law comes into force, the country will have in place a much needed regime for the handling, storage and processing, by both public and private entities, of personal data, the requirements for consent to access and use of data, the consequences of non-compliance by companies, compensation to affected people and enforcement rules to complete the legal ecosystem of personal data privacy.
The present bill follows the Personal Data Protection Bill, 2018, which was introduced following the recommendations of the high-level Srikrishna Committee. The present bill deals with three classes of personal information, namely general, sensitive and critical personal data. Financial data, passwords, official identifiers, health data, religious or caste data, sexual orientation, genetic data are classed as sensitive information. The new law is likely to permit processing of sensitive data outside the country only if there is an explicit consent from the user. However, handling of critical data can be done only in India and the government will notify what constitutes critical data from time to time. Data which is neither sensitive nor critical will constitute general data and there will be no restrictions on managing and storing such data.
The bill also enables the government to permit any entity handling data to collect personal data where necessary for national security, criminal investigations and research.
The bill mandates that companies handling personal data put in place policies and frameworks to ensure that end-to-end privacy is embedded in the complete data cycle in their respective applications, systems and architecture at each point of data collection, data storage, data processing, data transmission, data usage and data disposal. The bill also mandates companies to put into place reliable data protection safeguards such as data encryption and data anonymization.
The fine details that will be incorporated in the rules and regulations following the enactment of the bill will largely determine the extent of regulation of oversight on mandatory consents and data characterizations.
The bill will therefore greatly impact how the personal information of users will be kept private and secure, and will empower such users by giving them rights of access to data held on them, rights of data transportability and also the right to be forgotten. The objective driving the bill is to give citizens a sense of security in the handling of their information and to build a trust-based connection between the owners and the entities dealing with their data.
All social media companies will be required to institute voluntary verification processes for their users. Any unauthorized sharing of personal data will result in a fine of ₹150 million (US$2.1 million) or 4% of global turnover. In the case of a data breach, a fine of ₹50 million or 2% of global turnover would be imposed.
What does this new law mean for businesses? The technology sector, which is likely to be impacted the most, is anxiously hoping that the bill will address some critical concerns over the previous version, particularly in finding the right balance between data protection, growth and innovation.
The change from the present, regulation-free regime for the collection, handling and disposal of personal data, with the Supreme Court holding that the right to privacy is fundamental only as recently as 2017, to a compliance regime backed by end-to-end data protection and management law is going to be crucial to the ability of entities to do business. However, those dealing with the cross-border flow of personal data have already put in place systems in compliance with the EU General Data Protection Regulation (GDPR).
The dichotomy between private data players having to bear the burden of protecting the rights of empowered users and government having unrestricted access to and use of personal data without explicit consent will have to be resolved as the law is enforced. Entities dealing with the personal data of users will have to update privacy notices, but before drafting them those entities must understand the scope of the new law as it applies to each of them.