By Rudra Srinivas
Most people in India have never accessed the Internet through a computer. In fact, their encounter with the Internet is only through smartphones. As Indias consumers lap up Internet services, social media and other apps, they gladly submit their personal details to service providers in exchange for free use of their services. And these details are usually stored on servers outside Indias boundaries. That got the Government of India worried about data privacy concerns.
So, in July 2017, the Government of India formed a committee of experts to study the issues related to data protection in the country. The committee was led by retired Supreme Court Justice BN Srikrishna. After working on it for a year, the committee submitted a draft of the Personal Data Protection (PDP) Bill in July 2018 and requested feedback from the public, Ministers, stakeholders, and other industry experts.
A revised draft of the Bill was submitted in the Parliaments lower house, the Lok Sabha, on December 11, 2019, and has been sent to a joint parliamentary committee (JPC) for further deliberations before being taken up for passing. There was widespread anticipation for the passing of the Bill in 2019, however that has now been deferred. The Bill is expected to become a law or an Act in 2020.
What the Bill could achieve
The Personal Data Protection Bill (PDP Bill) is Indias first attempt to domestically legislate the mechanisms for the protection of personal data and aims to set up a Data Protection Authority in the country. The Bill regulates the processing of citizens personal data by government, companies incorporated in India, and foreign companies that are dealing with personal data of customers in India. Through the proposed law, the Government of India is rooting for data sovereignty by mandating certain class of data to be stored within Indian borders.
The proposed Bill also allows processing of data by fiduciaries with the consent of the individual. A data fiduciary is an individual or entity that decides the purpose of processing personal data. However, the Bill also permits personal data processing without consent in some cases like, when the government providing benefits to the individual, for legal proceedings, and in medical emergencies.
Kinds of Personal Data, according to the proposal
The proposed Bill forces companies dealing with peoples personal data to reconsider their data management practices. The Bill regulates three categories of data Personal Data, Sensitive Personal Data, and Critical Personal Data.
The Bill defines Personal Data as any information thats collected online or offline which can be used to identify a person, like name, address, phone number, location, shopping history, photographs, telephone records, food preferences, movie preferences, online search history, messages, devices users own, and social media activity.
Sensitive Personal Data includes health care data (like private information you share with a doctor or healthcare apps), financial data (banking and payments information), sexual orientation, biometrics (facial images, fingerprints, iris scans), caste or tribe, religious and political beliefs.
Critical Personal Data has not yet defined by the government.
Advantages to Citizens
The proposed Bill gives high priority for individual rights on data protection. As per the Bill, citizens personal information cant be collected, processed, and shared without their consent. Only the necessary data will be collected and can be used for pre-defined purposes only.
The companies are required to be clear and concise on what data is collected, its purpose, how its used, and for how long the data will be retained. The Bill also permits customers to move their data from one provider to another and allows users to know the number of companies with whom the data is shared.
Impact on Private Organizations
Private entities are required to place limits on data collection, processing, and storage of their customers data. Theyre subjected to report any instances of security incidents to the regulator.
Additional responsibilities are also imposed on companies based on the volume of data they collect from customers. This includes periodic security audits, appointment of a data protection officer, and performing data protection assessments defined by the regulator. Social media platform providers will also be mandated to enable customers to verify their accounts.
Tough penalties have been proposed for failing to comply with the data protection requirements. According to the Bill, any organization sharing customers data without their consent will entail a fine of INR 15 crores (around US$ 2.1M) or 4 percent of its global turnover. Data breach and delay to address/report the same will result in a fine of INR 5 crores (US$ 0.7M) or 2 percent of global turnover. Individuals representing the companies can also be sentenced to term in prison.
Data Localization Requirements
In terms of data localization, the Bill allows transfer of personal data across borders without any limitations. However, restrictions are placed on sensitive personal data which needs to be stored in India. Sensitive personal data can also be processed outside the country if the regulator approves it. For critical personal data, the government will notify on its own, which needs to be stored and processed within the country.
Criticism on the Revised Bill
The Bill landed in controversy for being different from what was proposed by the expert group in its first draft in July 2018. The Indian government, through the proposed law, wants to allow law enforcement agencies and authorized third parties to have access to citizen data, to investigate crimes faster. In other words, it will exempt any government agency from legal obligations. This, of course, has led to a resistance, and delayed the passing of the bill. Justice BN Srikrishna, the chief architect of the draft law, also has concerns and said the law can turn India into an Orwellian State.
Several industry experts have opined that unaccounted access to personal data of customers might lead to data -misuse. The Bill provides an exempt to any agency of government from the application of Act in the interest of sovereignty and integrity of India, the security of the state, friendly relations with foreign states, public order. The unrestricted government access is like a two-sided coin scenario. On one hand, the privacy bill is a part of the governments efforts to have more control of data and help it track unlawful activities by using digital footprints. On the other hand, the users access may give the government unaccounted access to personal data of customers in the country leading to data -misuse and unauthorized access, said Jaspreet Singh, cybersecurity leader at EY told CISO MAG.
Several privacy concerns have also been raised by experts over the revised draft Bill. The Bill states that personal and non-personal data may be processed without obtaining consent from the concerned user to help in the delivery of government services.
The changes that were made
Justice B.N. Srikrishna, who led the committee that drafted the 2018 PDP Bill, stated that there is no oversight on government agencies on accessing citizens data. Sharing his thoughts on the same, Pavan Duggal, the Advocate Supreme Court specialized in Cyberlaw and the Chairman of the International Commission on Cybersecurity law, said, The chapter on exemptions under the Data Protection Bill represents a massive dilution of the bill by giving these exemptions to governmental agencies. However, we also need to be mindful of the fact that governments would want certain access to personal data for sovereign and governance reasons. But the way the current exemptions came out is independent. It is the classical piece of legislation which is going two steps forward and six steps backward.
Impact on International Trade
Data protection discussions often revolve around discussions of transfer of data. In this regard, the proposed Bill has received a lot attention from global tech tycoons as well as Indian firms that work for international companies.
Theres no denying that this bill, if becomes a law, will have a significant impact on foreign companies as well as trade between India and other nations. He stressed that the bill takes a U-turn from the stance the Reserve Bank of India (RBI) took in April 2018. The RBI in its notifications stated that all data relating to banking must be physically in India and cannot leave Indian soil and that continues to be the position till today. However, the proposed Bill is a complete walk down on the RBI stance as it allows sensitive data to be stored outside India, Pavan Duggal told CISO MAG.
The bill is a ground-breaking step for the nation towards building the significant base of trusted digital India. It will change the way privacy is perceived and practiced by various businesses. Global organizations based in India and/or providing services will be particularly impacted. Considering the data transfer mandates, as most global firms which process personal data of Indians store their data at remote locations will face challenges in-terms of increased compliance costs, suggested Jaspreet Singh.
Where the Bill Stands Today
The much-awaited Bill, which was expected to be passed by the end of 2019, has been put on hold for now following severe concerns raised about changes in the proposal. The proposed Bill was recently referred to a JPC in consultation with various groups for further analysis. The joint committee, with 20 members from the Lok Sabha or lower house, and 10 from the Rajya Sabha (upper house), will be headed by Meenakshi Lekhi, Member of Parliament. The committee is expected to submit their views before the end of the upcoming budget session.
The PDP Bill lays down provisions for thwarting misuse of personal data in the country. It mandates data processing activities like data protection, storage, and management. On the flipside, the Bill, if passed, could bring major implications for national security, foreign investment, and international trade.
Rudra Srinivas is part of the editorial team at CISO MAG and writes on cybersecurity trends and news features.
Originally posted here:
All You Need to Know About Indias First Data Protection Bill - CISO MAG
- Beware of a cyber attack - faribaultcountyregister.com | News, Sports, Information on the Blue Earth region - Faribault County Register - February 24th, 2020
- Internet security Market 2020 Global Analysis, Research, Applications and Forecast to 2026 - Jewish Life News - February 24th, 2020
- Letter: It's an election year why isn't cybercrime on voters' minds? - Greenville News - February 24th, 2020
- Vigilantes and private security are policing the internet where governments have failed - The South African - February 24th, 2020
- Best Protection Against File Less Malware and Advanced Threats: Kaspersky Scores Most Top Three Places in 2019 Test Results - Al-Bawaba - February 24th, 2020
- The cannabis industry's next big threat: Hacks and fraud - WICZ - February 24th, 2020
- Straight Talk: That voicemail from the boss might be fake - Canton Repository - February 24th, 2020
- Microsoft patches IE vulnerability being exploited in the wild - SC Magazine - February 24th, 2020
- The best antivirus protection of 2020 for Windows 10 - CNET - February 23rd, 2020
- Vigilantes and private security are policing the internet where governments have failed - The Conversation UK - February 23rd, 2020
- The top UK cyber security companies - Information Age - February 23rd, 2020
- Cyber Minds: Expert Insights on Blockchain and Much More - Government Technology - February 23rd, 2020
- 5G and the Huawei controversy: is it about more than just security? - BBC Focus Magazine - February 23rd, 2020
- Recent IPO Cloudflare Closes Out 2019 Strong and Is Poised for More Growth - Motley Fool - February 23rd, 2020
- For Free Expression in Iran, the U.S. Can Act to Keep the Internet On - Just Security - February 23rd, 2020
- CoinGeek London: When Bitcoin SV came of age - CoinGeek - February 23rd, 2020
- Akamai: API Attacks by Cybercriminals are on the Rise - Media & Entertainment Services Alliance M&E Daily Newsletter - February 23rd, 2020
- What the Hell Is That Device, and Is It Spying on You? This App Might Have the Answer - VICE - February 23rd, 2020
- Most credential abuse attacks against the financial sector targeted APIs - Help Net Security - February 23rd, 2020
- The Cannabis Industrys Next Big Threat: Hacks And Fraud - CBS Denver - February 23rd, 2020
- Google removes nearly 600 ad-ware apps from Play store - Deccan Herald - February 23rd, 2020
- Internet of Things (IoT) Security Market Current Trends, Services, Innovations, Key Features Technology, Company Profiles, Demand, Growth... - February 23rd, 2020
- The Top 7 Network Security Books You Need to Read in 2020 - Solutions Review - February 23rd, 2020
- Cyber Security & Network Security Services - Internet ... - February 18th, 2020
- Google Announced US$1 Million for its Be Internet Awesome Initiative - CISO MAG - February 18th, 2020
- Internet security Market Analysis With Key Players, Applications, Trends and Forecast To 2026 - Instant Tech News - February 18th, 2020
- Cybersecurity Level in the Middle East: An Overview of the Cybersecurity Market State - SCOOP EMPIRE - February 18th, 2020
- Quantum internet: the next global network is already being laid - The Conversation UK - February 18th, 2020
- IC3.gov 2019 Internet Crime Report: Its All About that BEC - Security Boulevard - February 18th, 2020
- Sophos Cloud Optix breakthrough IAM visualization is here - Naked Security - February 18th, 2020
- Stay Safe, Secure And Anonymous Online with The Doe - London Post - February 18th, 2020
- Industry Insight: The CCPAs Elusive Reasonable Security Safe Harbor - JD Supra - February 18th, 2020
- WISeKey Drives Innovations in IoT Security with 23 Strategic Patents in the U.S. - GlobeNewswire - February 18th, 2020
- IT Security Consulting Services Market Size, Share, Types, Growth Strategies, Interactive Components, Key Companies Overview and Forecast Outlook by... - February 18th, 2020
- Market Size of Internet of Things (IoT) Security Product , Forecast Report 2019-2026 - Redhill Local Councillors - February 18th, 2020
- Internet of Things (IoT) Security Market Projected To Witness Vigorous Expansion By 2026 - Instant Tech News - February 18th, 2020
- 40% respondents ready to share personal details on dating apps without meeting person - The News Minute - February 18th, 2020
- How to protect your personal information online during tax season - CTV News - February 18th, 2020
- It is with a heavy heart we must inform you, once again, folks are accidentally spilling thousands of sensitive pics, records onto the internet - The... - February 18th, 2020
- Security of online voting questioned | News, Sports, Jobs - The Daily Times - February 16th, 2020
- This may be the last piece I write: prominent Xi critic has internet cut after house arrest - The Guardian - February 16th, 2020
- An Alternative to Windows 7 - Budapest Business Journal - February 16th, 2020
- North Koreas Internet Use Surges, Thwarting Sanctions and Fueling Theft - The Indian Express - February 16th, 2020
- Microsoft Patch Tuesday fixes IE zeroday and 98 other flaws - We Live Security - February 16th, 2020
- 'More guidance and regulation': Zuckerberg requests government rules on 'what discourse should be allowed' - Washington Examiner - February 16th, 2020
- Internet of Things (IoT) Security Product Market: Development Factors and Investment Analysis by Leading Manufacturers 2018 2026 - TechNews.mobi - February 16th, 2020
- Our personal health history is too valuable to be harvested by the tech giants - The Guardian - February 16th, 2020
- Cyber Security Today The latest FBI Internet crime report, adware on the rise, attacks on Wi-Fi and more - IT World Canada - February 15th, 2020
- Indias proposed internet regulations can threaten privacy everywhere - The News International - February 15th, 2020
- Antivirus Is Not Enough in 2020: Here is Why - laprogressive.com - February 15th, 2020
- FBI: Cybercrime losses tripled over the last 5 years - We Live Security - February 15th, 2020
- AIoT Convergence of Artificial Intelligence with the Internet of Things - EnterpriseTalk - February 15th, 2020
- Indias proposed internet regulations could threaten privacy everywhere - The Verge - February 15th, 2020
- Global Internet of Things (IoT) Security Market Key Players, Share, Trend, Segmentation and Forecast to 2026: Cisco Systems, Intel Corporation, IBM... - February 15th, 2020
- Romance scammers stole $475m last year. Here's how to spot them - Verdict - February 15th, 2020
- Safer Internet Day 2020 Together for a better internet - Security Boulevard - February 14th, 2020
- Internet's safe-keepers forced to postpone crucial DNSSEC root key signing ceremony no, not a hacker attack, but because they can't open a safe - The... - February 14th, 2020
- Here's how to avoid becoming a victim of a tax scam - AZ Big Media - February 14th, 2020
- Will Weak Passwords Doom the Internet of Things (IoT)? - Security Intelligence - February 14th, 2020
- Bithumb Employee Found Guilty of Security Failings that Led to Hack - Cryptonews - February 14th, 2020
- Will your vote count? Ohio working to increase election security - WHIO - February 14th, 2020
- Perimeter 81 Introduces SASE Platform This latest offer is based on a partnership with investor and - Channel Futures - February 14th, 2020
- NHS Secure Boundary the next layer of cyber protection for the NHS - Digital Health - February 14th, 2020
- Global Internet of Things (IoT) Security Market Segmentation along with Regional Outlook, Competitive Strategies, Factors Contributing to Growth and... - February 14th, 2020
- North Koreas Internet Use Surges, Thwarting Sanctions and Fueling Theft - The New York Times - February 14th, 2020
- TechForce Aberdeen event to kick off Cyber Scotland Week - The Scotsman - February 14th, 2020
- Security Strategy: Moving Away From Tried and True - Security Boulevard - February 5th, 2020
- Internet Security Software Market investigated in the latest research - WhaTech Technology and Markets News - February 5th, 2020
- What Is Log Management, and Why Is It Important? - Security Boulevard - February 5th, 2020
- Latest Released 2020 Version Of Internet Security Market With Market Data Tables, Graphs, Figures and Pie Chat - TheLoop21 - February 5th, 2020
- Booter Boss Busted By Bacon Pizza Buy - Krebs on Security - February 5th, 2020
- Yet another Windows 10 fail as new update breaks the internet - heres how to fix it - TechRadar India - February 5th, 2020
- 'Formjacking' Is the New Internet Scam We Need to Watch Out For - q985online.com - February 5th, 2020
- Kiwis think benefits of the internet outweigh the negatives - SecurityBrief New Zealand - February 5th, 2020
- GAO: DHS and Agencies Must Work to Improve Cybersecurity - HSToday - February 5th, 2020
- Government to strengthen security of internet-connected products - GOV.UK - January 31st, 2020
- DigiCert Leads Initiative to Enhance EV SSL Certificates - Security Boulevard - January 31st, 2020
- eScan Internet Security Suite - Download - January 30th, 2020
- Internet Security - January 30th, 2020
- Best malware removal software of 2020: free and paid anti-malware tools and services - TechRadar - January 30th, 2020