India presented a law on the protection of personal data in December 2019 to protect personal data and announced that it would set up a data protection authority to take over this task.
At that time, some of the initial concerns about this – including an increase in business costs and the rejection of a clause authorizing the government to require a company to anonymously submit their data in order to plan policies – were well publicized.
Shortly thereafter, the bill was referred to a mixed parliamentary committee with members from across the political spectrum to analyze its proposals and propose changes based on the concerns of various stakeholders, including government agencies, corporations, activists and data security experts, among others.
After many delays, the committee presented its report in mid-December with proposals for optimizing the draft law in parliament, and the lines of battle have already been drawn.
What is the biggest change the committee has proposed?
Of the 56 proposed changes, probably the most significant change to the bill is a proposal to include non-personal data in addition to personal data, which significantly broadens the scope of the bill and consequently changes the name to the Data Protection Bill. 2021.
The bill lists about half a dozen categories to define personal data, including a person’s name, cell phone number, biometric data – anything that can identify a person. Any additional information that does not allow personal identification will be treated as non-personal data.
In the technology-dependent world we live in, there is no shortage of non-personal data generated every minute of the day, from a person’s Google search to the directions on Google M -s that a commuter takes to the number of people who drive User draws an -p in an area or the number of people who commute between two destinations.
This is the first time a country’s legislature has attempted to legally c -ture such information, Salman Waris, a partner at TechLegis Advocates & Solicitors in New Delhi, told Al Jazeera. It could have a “massive impact” on companies that c -italize on this data, as the use of that data can now be regulated, Waris says, and they are likely to challenge that provision.
In other words, the government wants to treat non-personally identifiable information as a community resource that it can monetize in the form of licenses to use that information, much like it does with the telecommunications spectrum, Waris adds.
What are some of the other areas of concern?
The Committee has given the government greater powers to exempt its authorities from the rules for reasons as wide as national security, public order, the sovereignty and integrity of India, and friendly relations with foreign states.
The lump-sum exemption lasted “the blow away from the legislation ”, says Waris and turns it into“ legislation that is aimed at the private sector and forms two parallel regimes ”.
This also -plies to Indian citizens’ right to privacy, a fundamental right that went back to a 2016 ruling by the country’s highest court, waris warns.
The bill also adds that while companies are required to notify regulators of data breaches, they are not required to share that information with the person whose data has been breached. Companies are reluctant to admit weaknesses in their system and can hardly rely on the fact that they provide this information voluntarily. “How is the user whose data may have been leaked to fix this when? [she] has no idea that that h -pened, ”says Waris, calling the whole exercise“ contradicting itself ”.
The bill also targets social media platforms and suggests calling them a “publisher” rather than an intermediary. As the publisher, a platform is responsible for all content published on it and is released from the intermediaries’ safe harbor protective measures, according to which they are not liable for the content published by their users. The move can have a serious impact on freedom of expression as it can encourage social media platforms like Facebook and Twitter to actively censor content to avoid legal issues, experts warn.
Did you do something right?
The amended bill introduced a sunset clause under which the new rules will come into effect two years after the bill goes into effect, giving companies ample time to prepare for the upcoming changes, a useful change from earlier than when the rules should -ply immediately afterwards Get -proval.
The draft law also provides that data from minors – under 18 years of age – may only be processed under certain circumstances and with the consent of their parents. Not all stakeholders are h -py with the committee adhering to this rule, which is very different from the United States, where parental consent is only required for those under the age of 13.
Furthermore, the fact that India, thanks to its IT services sector and data hub call centers, is finally planning a data protection law is a big and important step. It will help the country get the stamp of a “secure” nation from the European Union and reduce compliance measures for Indian companies doing business in EU countries, Waris says.
What are the next steps?
The Data Protection Act could be adopted in its current form or further amended by the Ministry of Electronics and Information Technology, which will eventually bring it to Parliament. It has to be passed by both Houses before it can become law. But since the ruling Bharatiya Janata Party has the majority in both houses, that shouldn’t be a problem. This despite the fact that some members of the opposition who were on the committee issued so-called dissenting opinions in which some parts, or in some cases the whole of the bill, were rejected.
However, it is only a matter of time before we see some legal challenges against the bill and this will determine the final rulebook when it comes into effect.
Comments are closed.