By Rudra Srinivas
Most people in India have never accessed the Internet through a computer. In fact, their encounter with the Internet is only through smartphones. As Indias consumers lap up Internet services, social media and other apps, they gladly submit their personal details to service providers in exchange for free use of their services. And these details are usually stored on servers outside Indias boundaries. That got the Government of India worried about data privacy concerns.
So, in July 2017, the Government of India formed a committee of experts to study the issues related to data protection in the country. The committee was led by retired Supreme Court Justice BN Srikrishna. After working on it for a year, the committee submitted a draft of the Personal Data Protection (PDP) Bill in July 2018 and requested feedback from the public, Ministers, stakeholders, and other industry experts.
A revised draft of the Bill was submitted in the Parliaments lower house, the Lok Sabha, on December 11, 2019, and has been sent to a joint parliamentary committee (JPC) for further deliberations before being taken up for passing. There was widespread anticipation for the passing of the Bill in 2019, however that has now been deferred. The Bill is expected to become a law or an Act in 2020.
What the Bill could achieve
The Personal Data Protection Bill (PDP Bill) is Indias first attempt to domestically legislate the mechanisms for the protection of personal data and aims to set up a Data Protection Authority in the country. The Bill regulates the processing of citizens personal data by government, companies incorporated in India, and foreign companies that are dealing with personal data of customers in India. Through the proposed law, the Government of India is rooting for data sovereignty by mandating certain class of data to be stored within Indian borders.
The proposed Bill also allows processing of data by fiduciaries with the consent of the individual. A data fiduciary is an individual or entity that decides the purpose of processing personal data. However, the Bill also permits personal data processing without consent in some cases like, when the government providing benefits to the individual, for legal proceedings, and in medical emergencies.
Kinds of Personal Data, according to the proposal
The proposed Bill forces companies dealing with peoples personal data to reconsider their data management practices. The Bill regulates three categories of data Personal Data, Sensitive Personal Data, and Critical Personal Data.
The Bill defines Personal Data as any information thats collected online or offline which can be used to identify a person, like name, address, phone number, location, shopping history, photographs, telephone records, food preferences, movie preferences, online search history, messages, devices users own, and social media activity.
Sensitive Personal Data includes health care data (like private information you share with a doctor or healthcare apps), financial data (banking and payments information), sexual orientation, biometrics (facial images, fingerprints, iris scans), caste or tribe, religious and political beliefs.
Critical Personal Data has not yet defined by the government.
Advantages to Citizens
The proposed Bill gives high priority for individual rights on data protection. As per the Bill, citizens personal information cant be collected, processed, and shared without their consent. Only the necessary data will be collected and can be used for pre-defined purposes only.
The companies are required to be clear and concise on what data is collected, its purpose, how its used, and for how long the data will be retained. The Bill also permits customers to move their data from one provider to another and allows users to know the number of companies with whom the data is shared.
Impact on Private Organizations
Private entities are required to place limits on data collection, processing, and storage of their customers data. Theyre subjected to report any instances of security incidents to the regulator.
Additional responsibilities are also imposed on companies based on the volume of data they collect from customers. This includes periodic security audits, appointment of a data protection officer, and performing data protection assessments defined by the regulator. Social media platform providers will also be mandated to enable customers to verify their accounts.
Penalties
Tough penalties have been proposed for failing to comply with the data protection requirements. According to the Bill, any organization sharing customers data without their consent will entail a fine of INR 15 crores (around US$ 2.1M) or 4 percent of its global turnover. Data breach and delay to address/report the same will result in a fine of INR 5 crores (US$ 0.7M) or 2 percent of global turnover. Individuals representing the companies can also be sentenced to term in prison.
Data Localization Requirements
In terms of data localization, the Bill allows transfer of personal data across borders without any limitations. However, restrictions are placed on sensitive personal data which needs to be stored in India. Sensitive personal data can also be processed outside the country if the regulator approves it. For critical personal data, the government will notify on its own, which needs to be stored and processed within the country.
Criticism on the Revised Bill
The Bill landed in controversy for being different from what was proposed by the expert group in its first draft in July 2018. The Indian government, through the proposed law, wants to allow law enforcement agencies and authorized third parties to have access to citizen data, to investigate crimes faster. In other words, it will exempt any government agency from legal obligations. This, of course, has led to a resistance, and delayed the passing of the bill. Justice BN Srikrishna, the chief architect of the draft law, also has concerns and said the law can turn India into an Orwellian State.
Several industry experts have opined that unaccounted access to personal data of customers might lead to data -misuse. The Bill provides an exempt to any agency of government from the application of Act in the interest of sovereignty and integrity of India, the security of the state, friendly relations with foreign states, public order. The unrestricted government access is like a two-sided coin scenario. On one hand, the privacy bill is a part of the governments efforts to have more control of data and help it track unlawful activities by using digital footprints. On the other hand, the users access may give the government unaccounted access to personal data of customers in the country leading to data -misuse and unauthorized access, said Jaspreet Singh, cybersecurity leader at EY told CISO MAG.
Several privacy concerns have also been raised by experts over the revised draft Bill. The Bill states that personal and non-personal data may be processed without obtaining consent from the concerned user to help in the delivery of government services.
The changes that were made
Justice B.N. Srikrishna, who led the committee that drafted the 2018 PDP Bill, stated that there is no oversight on government agencies on accessing citizens data. Sharing his thoughts on the same, Pavan Duggal, the Advocate Supreme Court specialized in Cyberlaw and the Chairman of the International Commission on Cybersecurity law, said, The chapter on exemptions under the Data Protection Bill represents a massive dilution of the bill by giving these exemptions to governmental agencies. However, we also need to be mindful of the fact that governments would want certain access to personal data for sovereign and governance reasons. But the way the current exemptions came out is independent. It is the classical piece of legislation which is going two steps forward and six steps backward.
Impact on International Trade
Data protection discussions often revolve around discussions of transfer of data. In this regard, the proposed Bill has received a lot attention from global tech tycoons as well as Indian firms that work for international companies.
Theres no denying that this bill, if becomes a law, will have a significant impact on foreign companies as well as trade between India and other nations. He stressed that the bill takes a U-turn from the stance the Reserve Bank of India (RBI) took in April 2018. The RBI in its notifications stated that all data relating to banking must be physically in India and cannot leave Indian soil and that continues to be the position till today. However, the proposed Bill is a complete walk down on the RBI stance as it allows sensitive data to be stored outside India, Pavan Duggal told CISO MAG.
The bill is a ground-breaking step for the nation towards building the significant base of trusted digital India. It will change the way privacy is perceived and practiced by various businesses. Global organizations based in India and/or providing services will be particularly impacted. Considering the data transfer mandates, as most global firms which process personal data of Indians store their data at remote locations will face challenges in-terms of increased compliance costs, suggested Jaspreet Singh.
Where the Bill Stands Today
The much-awaited Bill, which was expected to be passed by the end of 2019, has been put on hold for now following severe concerns raised about changes in the proposal. The proposed Bill was recently referred to a JPC in consultation with various groups for further analysis. The joint committee, with 20 members from the Lok Sabha or lower house, and 10 from the Rajya Sabha (upper house), will be headed by Meenakshi Lekhi, Member of Parliament. The committee is expected to submit their views before the end of the upcoming budget session.
The PDP Bill lays down provisions for thwarting misuse of personal data in the country. It mandates data processing activities like data protection, storage, and management. On the flipside, the Bill, if passed, could bring major implications for national security, foreign investment, and international trade.
Rudra Srinivas is part of the editorial team at CISO MAG and writes on cybersecurity trends and news features.
Originally posted here:
All You Need to Know About Indias First Data Protection Bill - CISO MAG
- Google researchers have cracked a key internet security tool - Recode [Last Updated On: February 26th, 2017] [Originally Added On: February 26th, 2017]
- Letter: Internet security is in jeopardy - INFORUM [Last Updated On: February 26th, 2017] [Originally Added On: February 26th, 2017]
- New internet security device launched to safeguard schools against child abuse - Phys.Org [Last Updated On: February 26th, 2017] [Originally Added On: February 26th, 2017]
- Everything You Need to Know About Cloudbleed, the Latest Internet Security Disaster - Gizmodo [Last Updated On: February 26th, 2017] [Originally Added On: February 26th, 2017]
- Data from internet-connected teddy bears held ransom, security expert says - Fox News [Last Updated On: February 28th, 2017] [Originally Added On: February 28th, 2017]
- Emsisoft Internet Security 2017.2.0.7219 - TechCentral.ie [Last Updated On: February 28th, 2017] [Originally Added On: February 28th, 2017]
- What you need to know about 'Cloudbleed,' the latest internet security bug - Globalnews.ca [Last Updated On: February 28th, 2017] [Originally Added On: February 28th, 2017]
- Google cracks longtime pillar of internet security - MarketWatch [Last Updated On: February 28th, 2017] [Originally Added On: February 28th, 2017]
- BullGuard | Internet Security and Antivirus protection ... [Last Updated On: March 2nd, 2017] [Originally Added On: March 2nd, 2017]
- Internet Storm Center - SANS Internet Storm Center [Last Updated On: March 2nd, 2017] [Originally Added On: March 2nd, 2017]
- Internet-connected 'smart' devices are dunces about security - ABC News [Last Updated On: March 11th, 2017] [Originally Added On: March 11th, 2017]
- Derry internet security expert warns that advanced internet technology 'a risk to us all' - Derry Now [Last Updated On: March 11th, 2017] [Originally Added On: March 11th, 2017]
- Firewall Test, Web Tools and Free Internet Security Audit ... [Last Updated On: March 11th, 2017] [Originally Added On: March 11th, 2017]
- Internet security in the spotlight: How is the internet safer today than it was 20 years ago? - Mobile Business Insights (blog) [Last Updated On: March 11th, 2017] [Originally Added On: March 11th, 2017]
- Jim Mullen: Unsocial internet security | Columnists | auburnpub.com - Auburn Citizen [Last Updated On: March 11th, 2017] [Originally Added On: March 11th, 2017]
- Internet security company launches a perfume line to promote cybersecurity - Mashable [Last Updated On: March 12th, 2017] [Originally Added On: March 12th, 2017]
- Internet security - Wikipedia [Last Updated On: March 12th, 2017] [Originally Added On: March 12th, 2017]
- Are you undermining your web security by checking on it with the wrong tools? - The Register [Last Updated On: March 18th, 2017] [Originally Added On: March 18th, 2017]
- Bruce Schneier on New Security Threats from the Internet of Things - Linux.com (blog) [Last Updated On: March 18th, 2017] [Originally Added On: March 18th, 2017]
- Carpe Diem: home internet security - KFOX El Paso [Last Updated On: March 18th, 2017] [Originally Added On: March 18th, 2017]
- Motivation Monday: home internet security - KFOX El Paso [Last Updated On: March 18th, 2017] [Originally Added On: March 18th, 2017]
- Medical records of 26m patients at risk because of GP surgeries' failing internet security - The Sun [Last Updated On: March 18th, 2017] [Originally Added On: March 18th, 2017]
- Free Internet Security | Why Comodo Internet Security Suite ... [Last Updated On: March 18th, 2017] [Originally Added On: March 18th, 2017]
- Internet Security Software | Trend Micro USA [Last Updated On: March 18th, 2017] [Originally Added On: March 18th, 2017]
- Fix crap Internet of Things security, booms Internet daddy Cerf - The Register [Last Updated On: March 21st, 2017] [Originally Added On: March 21st, 2017]
- Internet of Things security: What happens when every device is smart and you don't even know it? - ZDNet [Last Updated On: March 21st, 2017] [Originally Added On: March 21st, 2017]
- CUJO is cuter than Wall-E, and it's the only internet security device you'll ever need - Yahoo News [Last Updated On: March 21st, 2017] [Originally Added On: March 21st, 2017]
- The Senate just voted to undo landmark rules covering your Internet privacy - Washington Post [Last Updated On: March 25th, 2017] [Originally Added On: March 25th, 2017]
- What the Cloudbleed disaster says about the state of internet security - Information Age [Last Updated On: March 25th, 2017] [Originally Added On: March 25th, 2017]
- Google Has Declared Symantec Harmful To Internet Security - UPROXX [Last Updated On: March 25th, 2017] [Originally Added On: March 25th, 2017]
- Internet Security Analysts: North Korea Is Planning a Global Bank Heist - Breitbart News [Last Updated On: March 28th, 2017] [Originally Added On: March 28th, 2017]
- Internet Security Firm Confirms WikiLeaks 'Vault 7' At Least 40 Cyberattacks Tied to the CIA - The Ring of Fire Network [Last Updated On: April 14th, 2017] [Originally Added On: April 14th, 2017]
- Homeland Security warns of 'BrickerBot' malware that destroys unsecured internet-connected devices - ZDNet [Last Updated On: April 20th, 2017] [Originally Added On: April 20th, 2017]
- A Global Industry First: Industrial Internet Consortium and Plattform Industrie 4.0 to Host Joint IIoT Security ... - Business Wire (press release) [Last Updated On: April 20th, 2017] [Originally Added On: April 20th, 2017]
- Mucheru urges private sector to boost investment in internet security - The Standard (press release) [Last Updated On: April 25th, 2017] [Originally Added On: April 25th, 2017]
- Cloudflare debuts a security solution for IoT - TechCrunch [Last Updated On: April 28th, 2017] [Originally Added On: April 28th, 2017]
- Russian-controlled telecom hijacks financial services' Internet traffic - Ars Technica [Last Updated On: April 28th, 2017] [Originally Added On: April 28th, 2017]
- Avira Internet Security Suite v15.0.26 - TechCentral.ie [Last Updated On: April 28th, 2017] [Originally Added On: April 28th, 2017]
- NSA To Limit Some Collection Of Internet Communication - NPR [Last Updated On: April 29th, 2017] [Originally Added On: April 29th, 2017]
- Report Indicates '10 Concerts' Facebook Trend Could Compromise Your Internet Security - Complex [Last Updated On: April 29th, 2017] [Originally Added On: April 29th, 2017]
- "Improving the World" through Internet Security: Chatting with David Gorodyansky, CEO of AnchorFree - Huffington Post [Last Updated On: May 3rd, 2017] [Originally Added On: May 3rd, 2017]
- Don't Fall For This Tech Support Scam Targeting PC Users - KTLA [Last Updated On: May 3rd, 2017] [Originally Added On: May 3rd, 2017]
- Yikes! Antivirus Software Fails Basic Security Tests - Tom's Guide [Last Updated On: May 3rd, 2017] [Originally Added On: May 3rd, 2017]
- Watch Hackers Sabotage an Industrial Robot Arm - WIRED [Last Updated On: May 3rd, 2017] [Originally Added On: May 3rd, 2017]
- Decoding Internet Security: Spear phishing - Washington Post [Last Updated On: May 5th, 2017] [Originally Added On: May 5th, 2017]
- From the Desk of Jay Fallis: To internet vote, or not to internet vote - BarrieToday [Last Updated On: May 7th, 2017] [Originally Added On: May 7th, 2017]
- Crippling cyberattack continues to spread around the world - Los Angeles Times [Last Updated On: May 14th, 2017] [Originally Added On: May 14th, 2017]
- Cyber Security Experts: Russia Disproportionately Targeted by Malware - Voice of America [Last Updated On: May 14th, 2017] [Originally Added On: May 14th, 2017]
- The Latest: 29000 Chinese institutions hit by cyberattack - ABC News [Last Updated On: May 15th, 2017] [Originally Added On: May 15th, 2017]
- Cyberattack Aftershock Feared as US Warns of Its Complexity - New York Times [Last Updated On: May 15th, 2017] [Originally Added On: May 15th, 2017]
- This week's poll: Priorities for improving internet security - The Engineer [Last Updated On: May 18th, 2017] [Originally Added On: May 18th, 2017]
- Akamai Releases First Quarter 2017 State of the Internet / Security Report - PR Newswire (press release) [Last Updated On: May 18th, 2017] [Originally Added On: May 18th, 2017]
- Do Macs get viruses? - PC Advisor [Last Updated On: May 18th, 2017] [Originally Added On: May 18th, 2017]
- Massive Ransomware Attack Underscores Threats To Internet Security - Benzinga [Last Updated On: May 19th, 2017] [Originally Added On: May 19th, 2017]
- Security News This Week: Hoo-Boy, Mar-a-Lago's Internet Is Insecure - WIRED [Last Updated On: May 20th, 2017] [Originally Added On: May 20th, 2017]
- Internet security firm calls for law to compel information sharing to ... - The Star, Kenya [Last Updated On: May 22nd, 2017] [Originally Added On: May 22nd, 2017]
- Check It Out: No need to unplug after reading books on internet security - The Columbian [Last Updated On: May 22nd, 2017] [Originally Added On: May 22nd, 2017]
- How to beat security threats to 'internet of things' - BBC News - BBC News [Last Updated On: May 25th, 2017] [Originally Added On: May 25th, 2017]
- Best Mac antivirus 2017 - Macworld UK [Last Updated On: May 25th, 2017] [Originally Added On: May 25th, 2017]
- Avira, Kaspersky Top Windows 10 Antivirus Tests - Tom's Guide [Last Updated On: May 25th, 2017] [Originally Added On: May 25th, 2017]
- Paranoid about internet security? Here are the most secure OS options - The American Genius [Last Updated On: May 28th, 2017] [Originally Added On: May 28th, 2017]
- Blockchain Offers Hope for the Broken Internet - Fortune [Last Updated On: May 28th, 2017] [Originally Added On: May 28th, 2017]
- New uses for RFID and security for the internet of things - Phys.Org [Last Updated On: May 31st, 2017] [Originally Added On: May 31st, 2017]
- Security Best Practices for the Internet of Things - Web Host Industry Review [Last Updated On: May 31st, 2017] [Originally Added On: May 31st, 2017]
- Internet infrastructure security guidelines for Africa unveiled - Premium Times [Last Updated On: May 31st, 2017] [Originally Added On: May 31st, 2017]
- In addressing internet security issues, make sure to provide solutions - Minneapolis Star Tribune [Last Updated On: May 31st, 2017] [Originally Added On: May 31st, 2017]
- Whistic Partners with the Center for Internet Security to Extend the ... - PR Web (press release) [Last Updated On: June 1st, 2017] [Originally Added On: June 1st, 2017]
- Internet Security Alliance: NIST framework metrics should focus on threats - Inside Cybersecurity (subscription) [Last Updated On: June 1st, 2017] [Originally Added On: June 1st, 2017]
- China cyber-security law will keep citizens' data within the Great Firewall - The Register [Last Updated On: June 1st, 2017] [Originally Added On: June 1st, 2017]
- Cyber security: Africa gets Internet security guidelines - TheNewsGuru [Last Updated On: June 1st, 2017] [Originally Added On: June 1st, 2017]
- China to Implement Its First Law on Internet Security After Ransomware Attack - Sputnik International [Last Updated On: June 1st, 2017] [Originally Added On: June 1st, 2017]
- Decoding Internet Security: Ransomware - Washington Post [Last Updated On: June 1st, 2017] [Originally Added On: June 1st, 2017]
- Internet security upgrade on course - Business Daily (press release) (blog) [Last Updated On: June 1st, 2017] [Originally Added On: June 1st, 2017]
- What's the Safest Laptop For Internet Security? - HuffPost [Last Updated On: June 2nd, 2017] [Originally Added On: June 2nd, 2017]
- Every Day Is Internet Security Day - The Chief-Leader [Last Updated On: June 3rd, 2017] [Originally Added On: June 3rd, 2017]
- 5 Reasons why internet security is crucial in 2017 - Techworm [Last Updated On: June 3rd, 2017] [Originally Added On: June 3rd, 2017]
- Are Pop-Ups An Internet Security Threat? - Good Herald [Last Updated On: June 4th, 2017] [Originally Added On: June 4th, 2017]
- 3 Ways Software Programs Can Help With Internet Security in 2017 - Geek Snack [Last Updated On: June 7th, 2017] [Originally Added On: June 7th, 2017]
- Inside Social Security: Make every day your internet security day - Santa Ynez Valley News [Last Updated On: June 7th, 2017] [Originally Added On: June 7th, 2017]
- SOCIAL SECURITY: Every day is internet security day - Palm Beach Post [Last Updated On: June 7th, 2017] [Originally Added On: June 7th, 2017]