Data Privacy Day 2022: Indian Personal Data Protection Bill 2019’s benefits and effect on the industry

This Bill will legalise privacy, penalise its offender, ensure significant reduction of fraud and misuse of data, generate centralised data repository, and most importantly empower its citizens by making them aware of the power of their consent.

Data Privacy Day 2022: Indian Personal Data Protection Bill 2019’s benefits and effect on the industry

By Jaspreet Singh

India stands amongst the fastest growing data generating nations in the world. With around 4.66 billion internet users and new data being added at the rate of 2.5 quintillion bytes per day, the bar for the digital market can only be seen going up. The growth of such e-commercial markets in India is expected to be worth US$ 188 billion by 2025.

At present the sensitive data is regulated by the Information Technology Act 2000. When the world is moving swiftly towards improving the quality of life and instilling a sense of privacy & safety for its citizens – India could not be far behind. In order to regulate this big pool of data, the B.N. Srikrishna Committee Report, 2017 suggested the need for a data privacy law and regulation of this data. Mr. Ravi Shankar Prasad, Minister of Electronics and Information Technology introduced the Bill in Lok Sabha on December 11, 2019. The PDP Bill, 2019 was recently reviewed by the Joint Parliamentary Committee Report and was presented in the Winter Session that started on 29th November 2021. The Report suggested 93 changes and amendments to allow the non-personal data to also be looked after by the current Bill in place.

The PDPB is a big stepping stone for India in terms of meeting its compliance under Article 51 of the Constitution by providing the same level of protection to the personal data shared by any country. The objective of the Bill is “to provide for protection of the privacy of individuals relating to their personal data, specify the flow and usage of personal data, create a relationship of trust between persons and entities processing the personal data, protect the fundamental rights of individuals whose personal data are processed, to create a framework for organisational and technical measures in processing of data, laying down norms for social media intermediary, cross-border transfer, accountability of entities processing personal data, remedies for unauthorised and harmful processing, and to establish a Data Protection Authority of India for the said purposes and for matters connected therewith or incidental thereto”.

Where the Bill regulates the data flow, the proposed Data Protection Authority under the Bill is to work as an umbrella regulator to ensure compliance. With several benefits PDPB has provided a microscopic view on the various kinds of data being collected and the impossibility to distinguish between personal data and non-personal data, when mass data is collected or transported. The Committee thus opines that if privacy is the concern, non-personal data should also be included. Where the report provides insights on data localization, allowing coming up of new sandboxes, social media intermediaries, consent of child under the age of 18 years and several other important points, the report also pinpoints other important aspects such as having set guidelines to follow in case of data breach and its notification to the supervisory authority which is the DPAI.

Today, India caters to its citizens with various online platform services like Aadhar, Passport Seva, Open Data Stack (data.gov.in), MCA21, GSTN, Unified Payment Interface (UPI), WRIS (Jalshakti), DISHA (rural development), Bhuvan (ISRO), etc. These platforms have made life easier and can cross-cut through the various domains. The JPC report supports the argument that Data is an asset of national importance and by deploying the right data infrastructure and governance mechanism, data can come out as a power unleashing the power of data for India can become a reality.

The Report also discusses the implementation plan and recommends an approximate period of 24 months may be provided for implementation of any and all the provisions of the Act so that the people who are processing the data have enough time to alter the changes which are necessary to their infrastructure, policies and other processes. The Committee also suggested that the phased implementation may be undertaken in order to ensure that within three months, Chairperson and Members of DPA are appointed, activities related to work profiles of DPA commences within 6 months from the date of which the Act has been notified to all, registration process of data fiduciaries should also start and not be extended further than 9 months and be given a timeline for the process to get completed, the work handled by appellate tribunal and adjudicators should also commence within first 12 months. Lastly, all the provisions of the act shall be deemed effective within a 24-month period from the date on which the public gets notified of this Act.

Where the Bill focuses on providing support to new innovations and ventures in the form of sandboxes, the constant requirement to formulate robust data management policies, standards, and best practices should not be ignored. As India moves ahead in developing a data ecosystem across public and private sectors to spur data-led innovation it becomes essential to have the PDPB take care of data privacy and protection challenges. PDPB thus lays down a foundation stone for creation of a large and well-organized data ecosystem that encourages innovation, entrepreneurship and job creation.

This Bill will legalise privacy, penalise its offender, ensure significant reduction of fraud and misuse of data, generate centralised data repository, and most importantly empower its citizens by making them aware of the power of their consent. This bill will put an end to the rampant misuse of citizens’ personal details by other countries and force data controllers and processors to localise data, significantly minimise the amount of unnecessary data collected, generate employment and make us better equipped for the upcoming Data War.

The protection of data of the citizens and the legalization of the privacy framework is long due and so is the seriousness of foreign entities towards data privacy in India. With the astounding growth in technology and ruling the world with our technological supremacy, it is imperative that we take the first step towards the challenge of managing the data of a vastly populated democracy. It is time to end the exploitation of social media, marketing platforms and all those entities who flagrantly violate the concept of ‘Internet Freedom’ in the guise of consent.

(The author is partner and national leader, client and markets – technology and transformation, Grant Thornton Bharat. Views are personal and not necessarily that of FinancialExpress.com)