Personal Data Protection Bill 2019: If You Run A Company, Know How It Is Going To Affect You

The Personal Data Protection Bill (PDP), 2019, was introduced in the Parliament in December 2019 and has been referred to a Joint Parliamentary Committee (JPC) for review.

The Bill seeks to regulate the use of individuals' data by the government authorities and private companies (Data Fiduciaries) which encompass the access, use, and storage of the information by such entities.

Informed consent of the user (Data Principal), minimum collection of information, specified use and destruction of the personal data after use, are certain specific requirements under the Bill.

Personal data, for all purposes, would mean any information that directly or indirectly identifies a natural person. In a technology-driven world, the word 'data' can be used interchangeably to connote personal data since every data set in one form or the other can be analyzed to identify a person.

There are, however, certain loopholes pertaining to the government.

The provisions proposed in the law gives the government the power to exempt any of its agencies from the guidelines which imply that any government agency can access one's data if the government considers it necessary in the "interest of sovereignty and integrity of the country."

Impact On Companies?

According to the annual report (2018-2019) published by the Ministry of Electronics and Information Technology, the number of internet users in the country is expected to reach 829 million by 2021.

As per the India Brand Equity Foundation (IBEF):

The Indian e-commerce market is expected to grow to US$ 200 billion by 2026 from US$ 38.5 billion as of 2017. The aggressive growth in the industry can be credited to the increasing internet and smartphone penetration. India's internet economy is expected to double from US$ 125 billion as of April 2017 to US$ 250 billion by 2020, substantially due to e-commerce.

Such staggering numbers in terms of internet usability in India further stresses the need for a law on information management and privacy.

• As India is about to get the first comprehensive legislation that focusses on data protection and data processing to ensure the right to privacy of the citizens, it could result in inevitable and significant changes in the way digital businesses and companies operate in India. The PDP Bill prevents the processing of personal data without any specific and lawful purpose.

  The internet-based services, e-commerce companies, social-media-based businesses especially the eruption of innumerable start-ups and digital services would be introduced to a new legal ecosystem.

  An obligation to inform the users on what data is being collected and the purpose that it would be put to use for would also fall on such entities.

  The companies and digital organizations will be expected to upgrade their practices of data handling. Plans for proper allocation of budget for a seamless transformation to the expected legal landscape should be worked on now.

  The Data Fiduciaries need to maintain the confidentiality of the information and the data obtained as part of their business process. Implementation of steps to meet the requirement of data localization and transfer and introduce data security safeguards is the need of the hour.

  Company practices including the access and storage purpose, securing rights involving the right to erasure and preparing impact assessment reports will be required to be worked on.

  These regulations, once put in place will help in the review of the personal data held by the Data Fiduciary periodically and refrain entities from misusing the user data.

  It is imperative to note that the companies can initiate the planning process with respect to the size of the business, the scale of the operations, the process, and purpose of collection of data and data flows in the business, global or a local consumer reach and the sensitivity of the data being held.

  Industries can proactively engage in forecasting and establishing codes that would work for the companies. Every Data Fiduciary will also be statutorily required to prepare and adopt Privacy by Design Policy, approved by the Deputy Protection Authority (DPA) and published on the website.

  Privacy by Design policy refers to the privacy policy programs that the organizations will have to develop and then get it certified by the DPA. There are also provisions of data audits being conducted annually where an auditor will give 'data trust score' to the organizations.

  The Bill will also put restrictions on the transfer and storage of critical data which is expected to affect the operating efficiency of the organizations. Taking the legal complexities into consideration, the Data Fiduciaries should consult experts and take adequate steps to increase their preparedness regarding the modifications.

  The in-between period can be used by the companies to reconfigure the software technology used, rebuild their business practices and re-frame the process through which personal data is captured, stored and processed.

  With the support of Internet Freedom Foundation, The Logical Indian is running a campaign to make people aware of the Data Protection Bill and then fix it. Through #SaveOurPrivacy initiative we are taking our voice to a Joint Committee of Parliament that is, at present, considering and taking inputs. By clicking on the pledge you sign on to the campaign and bring a change.

  Also Read: What Happens When Personal Data Protection Bill Becomes A Law?