Topics In Demand
Notification
New

No notification found.

258

0

 

Policymakers, Big Tech, digital entrepreneurs and civil rights activists across the globe are engaged in debates about Data Privacy. In an increasingly digital world, companies and administrations need to collect data to serve you better. Equally, there are worries that your data, thus collected, can be misused. How much to collect, how to store and protect the data, and what purposes it can be used for, continue to be some of the key issues revolving around data privacy.

The worry that data collected by technology firms could be misused or even hacked by malicious actors have led many countries to pass stringent laws and prescribe norms for data protection. The increasing incidences of hacking and financial and identity fraud have only accelerated the move. The EU-GDPR and the China Data Protection Law are two notable laws that prescribe stringent norms for organisations collecting and storing personal data.

India’s own Data Protection Law could come into effect very soon as well. The Joint Parliamentary Committee (JPC) report on the Personal Data Protection Bill, was tabled in both houses of the parliament.

So, what is personal data?  It includes any information that can be used to identify an individual. The scope of “personal data” includes everything from your name, address, telephone number, email address and identification documents to bank statements, telephone records, emails, text messages, employment records, appraisals, website browsing history, among others.

The proposed bill is expected to change the way privacy is perceived and practised within Indian business and government departments. It will apply to data fiduciaries or data processors in India and abroad, if they process any personal data for any business carried in India: offer goods and services to data principles (citizens) in India; or any activity which involves profiling of data principals within the country.

The bill puts an emphasis on data localization and organizations need to identify and store “critical data” in servers located in India. This is likely to increase the costs for those who currently save data in central server farms outside India. But it will also give a fillip to the domestic data centre industry. Additionally, sensitive data can be transferred outside India with explicit consent, basis contracts permitted by government. This will need standardized privacy-oriented agreements for transfer of data and obtaining explicit consent of the data principals. 

The bill states that social media platforms can operate in India only if the parent company sets up an office in the country. The recommendations also suggest that social media companies are accountable for the content that is published on their platform and should therefore be addressed as “publishers”.

The bill has also laid down clauses on certification of digital and IoT devices to regulate hardware manufacturing companies. Additionally, it introduces the concept of Privacy by Design.

Organizations will need to appoint a Data Protection Officer who will be responsible for providing information and assisting the authority to ensure compliance of the provisions.

India’s Data Protection Bill also grants a wide range of rights to its data principals. Sensitive personal data shall not be processed, unless consented by the data principal at the time of commencement of its processing. The bill also has the provision to grant compensation to data principals in case of violations.

The bill protects children as well – prescribing regulations for parental consent and age verification for data fiduciaries. The bill has introduced guardian data fiduciaries who operate commercial websites or online services directed at children or process large volumes of personal data of children. Guardian data fiduciaries will be prohibited from profiling, tracking, behavioural monitoring or engaging in targeted advertising of children.

The bill prescribes stringent penalties for organisations that do not follow the norms. But also proposes a phased wise approach of implementation of provisions with a timeframe of 24 months for organizations to make changes to their policies, processes, and infrastructure.

The bill is a bold step in strengthening India’s privacy landscape with the steep rise in the consumption of digital services. It also strikes a fine balance to ensure that organisations have enough time to adhere to the prescribed norms.

 

About the author:

By Murali Rao, Cybersecurity Leader and Lalit Kalra, Partner – Data Privacy, EY India


That the contents of third-party articles/blogs published here on the website, and the interpretation of all information in the article/blogs such as data, maps, numbers, opinions etc. displayed in the article/blogs and views or the opinions expressed within the content are solely of the author's; and do not reflect the opinions and beliefs of NASSCOM or its affiliates in any manner. NASSCOM does not take any liability w.r.t. content in any manner and will not be liable in any manner whatsoever for any kind of liability arising out of any act, error or omission. The contents of third-party article/blogs published, are provided solely as convenience; and the presence of these articles/blogs should not, under any circumstances, be considered as an endorsement of the contents by NASSCOM in any manner; and if you chose to access these articles/blogs , you do so at your own risk.


© Copyright nasscom. All Rights Reserved.