India’s digital economy is on a roll. Ms. Nirmala Seetharaman, Minister of Finance & Corporate Affairs, mentioned that the digital economy is predicted to spike and reach 800 billion USD by 2030. The country’s digital revolution has disrupted almost all sectors of the society, with over 450 million internet users, 6300 fintechs, rise in retail investor accounts from 45 million in 2016 to 88.2 million in 2021, and whopping a growth rate of 7-8%. Digitization, no doubt, is a powerful enabler of national growth as it transforms public and private services, facilitates policy decision making, and effectively monitors the implementation and effectiveness of various programs and initiatives.
However, large-scale adoption of intelligent devices development of customer facing digital applications across sectors has expanded attack surfaces, causing the burden of governing and securing data to grow exponentially. As a result, there is a vast amount of digital footprint due to various activities of individuals online. Protecting this data has become an arduous task and leads to dangerous breaches and lapses in privacy. Unregulated and random use of personal data can lead to privacy and autonomy issues for individuals.
The time has come to anonymize and secure user data by enforcing stricter regulatory laws to reduce the chances of data theft and prosecute the offenders. The Indian Government has taken significant steps to regulate citizen data, such as personal data, health data, financial data, online shopping data, and data acquired through customer-centric services.
One such move is the introduction of the Personal Data Protection Bill (PDP), which encompasses the necessary mechanisms, practices, guidelines, and protocols to be implemented by every company handling customer data. The Bill matters the most for India, the second most populated country, though it boasts of a massive, high growth rate technology sector, lacked a comprehensive data privacy regime that could empower its citizens with more control of their data. The objective of this Bill is to ensure the growth of the digital economy and secure citizens’ data.
Key Highlights of the PDP Bill
Data Categorization
The Bill proposes the localization of data into three parts and governs the processing of personal data by the government, Indian and foreign companies.
-
Sensitive Personal & National Security Data
Requires local storage & local processing of data & cannot be transferred outside India. This includes financial data, biometric data, caste, religious or political beliefs, or any other data category specified by the Government.
-
Personal & Commercial Data
Data can be mirrored, and an original data copy must be present in an Indian server. This includes data such as characteristics, traits, or attributes of identity, which are used to identify an individual.
-
Non-Personal Data
Data that does not have personally identifiable information need not be localized.
Data Fiduciary Obligations
The data fiduciaries (who process personal data) can only process the data for specific, explicit, and lawful purposes. In addition, they must take transparency and accountability measures such as deploying security safeguards (data encryption, data misuse prevention) and establishing customer grievance redressal mechanisms to address complaints.
Consensual Processing of Data
The fiduciaries can process data only after consent from the data owner. Only under exceptional circumstances can data be processed without the individual’s permission. This includes legal proceedings, medical emergencies, or if the State wants to provide any benefits to the individual.
Data Principal Rights
The owner of the data (data principal) can get confirmation from the fiduciary whether their data is processed. Data can be corrected and transferred to other data fiduciaries, disclosure can be restricted after processing, and the data principal can withdraw the consent.
Social Media Intermediaries
The Bill allows information sharing to enable online interaction between users through intermediaries. The intermediaries must provide a voluntary user verification mechanism for users in India.
Data Protection Authority
A Data Protection Authority is to be set up to protect individual interests, prevent data misuse, and ensure bill compliance.
Data Transfer Outside India
Sensitive personal data can be transferred outside India for processing only after explicit consent from the data owner and is subjected to certain conditions.
Data Processing Exemptions
Indian Government can exempt companies; such processing must be for specific and lawful purposes with strong security safeguards. The exemptions can be in the interest of India’s security, sovereignty, and integrity and friendly foreign states to prevent incitement to the commission of any cognizable offense or personal, domestic, or journalistic purposes.
Non Compliance Penalties
In case of any bill violations, the data fiduciary must pay a fine of Rs 15 crore or 4% of annual turnover, whichever is higher.
Government Rights
Indian Government can ask data fiduciaries to provide non-personal data or anonymized personal data for targeting its services.
How You Can Ensure Data Privacy & Achieve Bill Compliance
The Security Layers You Need to Become Compliant
The PDP bill is a practical framework to enable a focused regulatory approach to protect the data privacy rights of individuals. By becoming technically compliant with the requirements of the Bill, you can protect your customers’ data from unauthorized access and malicious attacks. It will also enable your to demonstrate that customers can trust their data will be handled with care, prove that you know how to collect, store, manage, and share data in compliance with privacy laws, assure customers that they have ownership of their data, and you can protect the rights of individuals through effective data governance.