Laws are needed in any civilized country for the proper functioning of the elements that constitute the society as a whole. Many new laws get introduced and old ones amended as society progresses. The Data Privacy Laws are one such instance which is now being pushed across the globe. With data and information going digital and cybercrime threats becoming real, this is the need of the hour.
What is Data Privacy Law?
Data Privacy Law or Information Protection law is enforced to prohibit the misuse of or disclosure of personal and sensitive information of an individual. While some countries have a properly structured law like the EU (General Data Protection Regulation). Others have a limited sectoral set of laws and are still mulling over bringing a full-fledged regulation. India falls in the later section. The basic principles of data protection are:
- Collected data should have a well-defined purpose.
- Information about an individual cannot be disclosed without consent.
- The data records should be accurate and current.
- Individuals should be able to review their data.
- Data transmission without adequate protection should be prohibited.
India has recently introduced its Personal Data Protection Bill which is yet to be passed to form law. And it has evoked some mixed reactions across various sections of the society. While some have welcomed the move, few have out rightly rejected and criticized the Bill. Here are the highlights:
- Personal Data to be processed for clear, specific and lawful purposes.
- Citizens have the right to withdraw consent.
- All firms and agencies to appoint Data Protection Officers (DPO).
- Firms must have localized personal data i.e. one copy should be present in servers in India.
- Cross-border processing of Critical personal data prohibited.
- Data processing exempted for journalistic or domestic purposes.
- Data breach notifications are to be made to the Data Protection Authority, appointed by Indian Government, only if the breach is likely to cause harm.
Why are the Indian Companies worried?
While the Bill is still in the draft phase, India Inc. is worried about the repercussions. People are worried that the Law might do more harm than good due to its ambiguous nature. Here’s what has got them worried:
- No clarification on how localization of data should help the cause of privacy. Moreover, the bill says to maintain at least one copy, leaving a wide gap that the data may still be stored somewhere else.
- No recognition of the fact that different data fiduciaries (who collect data), though holding the same type of data, pose a different risk. It treats all the same.
- The current draft will invoke severe change in the modus operandi of several firms, which will be expensive.
- A lot of Indian companies find data transfer as their key functionality. The cross-border restriction will be a blow to them. While Indian IT giants like Infosys, Tata Consultancy Services (TCS), and Mindtree, which service European clients, will see an outsized impact of the new regulations, while small companies are also not immune to this impact.
- Introduction of new regulatory boards is being seen an unnecessary. Instead, strengthening of original Boards should be a viable option.
- The infrastructure, time and effort needed from an organization to implement the changes must be taken into account.
- The payment transaction data needs to be treated in a more clear manner. Whether the data should be treated as sensitive or not in different situations is not very clear.
The bottom-line is the fact that the Bill draft needs to be debated and discussed at length before being given a final nod. It should create a balanced set of provisions and make a level field for the players. The Bill should be growth-oriented, cost-effective and ensure that the original objective stays intact.