In today's newsletter, we simplify the new Personal Data Protection Bill that everyone's talking about.
In late 2017, the Supreme Court of India pronounced a landmark verdict. It held that every citizen in India is entitled to his/her right to privacy. And that information privacy (considering we are now living in the digital age) is a part of this broader fundamental right. This was the first time someone formally acknowledged that we needed to allow users to have more control over how their data is collected and stored by entities operating in India.
The only problem — Existing laws were woefully inadequate to deal with information use/flow in the digital era. So the government got to work and decided to put together an overarching framework that could deal with this pesky little issue.
The Outcome — The Personal Data Protection Bill
The stated goal is simple. To protect user data and give control back to the people. This means asking users for clear consent before getting to work with their data — “What will we do with the data?”, “Where will the data be stored?”, “Is there going to be any behavioural profiling on the customer?”. Stuff like that. Also, firms can no longer get away by simply asking for blanket permissions from users. If there’s an app that promises to show you the weather, it can’t be asking for your Phone number, SMS data, voice recordings, your bedtime routine, etc. That can’t happen anymore, because why would a weather app want to go through your SMS records?
The bottom line —The data processor can only collect data that is necessary to provide services that has been agreed upon. No more. No less.
The Bill also includes provisions that mandate companies to provide users with options to migrate their data from one service provider to another. In fact, users will also have the right to be completely forgotten. So you no longer have to worry about your data being mined, long after you’ve stopped using the service. And to ensure service providers fully comply with the new regulations, there will be periodic reviews to see if anyone’s being lax. In the event that they fail to comply fully, penalties will follow.
While this seems like an excellent proposition, it’s not completely bereft of problems either. Most notably — the issues pertaining to data localization.
Now the government has mandated that certain critical data will have to be stored locally i.e. in India. The problem is that this is going to court retaliation. Now we still don’t know what “critical data” actually entails but other countries aren’t going to like this sort of thing. They’ll impose restrictions of their own. Imagine Infosys having to build local data centres in the United States to process and use information from US citizens. Okay, maybe Infosys can afford it. But what about some small Indian company trying to set up an offshore base. They’ll have to make new investments and this can’t possibly be good for business.
In fact, this seems to be the biggest criticism for now, in that the regulations don’t take into account the economic impact of data protection/localisation and we could actually end up hurting many businesses in the process. Even others contest that the government has given itself massive leeway to adjudicate matters pertaining to violations and that it seems like its a bit excessive.
But despite all this, the introduction of the data protection bill is definitely a step in the right direction. At least now we will know what we are getting into right?