Advertisment

How Does the Personal Data Protection Bill (PDP) impact Indian Businesses

A quick rundown of points on how the Bill applies to businesses inside and outside India. And how it requires those who sell to Indians or track and profile

author-image
Voice&Data Bureau
New Update
How Does the Personal Data Protection Bill

A quick rundown of points on how the Bill applies to businesses inside and outside India. And how it requires those who sell to Indians or track and profile Indians online to put in safeguards. Businesses focused on Children or processing a lot of Children’s data have special caveats. No targeted advertising towards children or tracking/profiling of behavior

Advertisment
Shivangi-Nadkarni

By Shivangi Nadkarni

Why is there so much discussion around the Data Protection Bill (DPB) which has been reviewed by a Joint Parliamentary Committee (JPC) in consultation with experts and stakeholders?

Advertisment

A final report with the Bill has been submitted to Parliament after five extensions in two years. Why is this bill a game-changer for Indian and Indian consumers?

Impact

With an ever larger number of business and social transactions moving online the level and quantity of data on the Internet are unimaginable. Personal information includes nearly every facet of life: language & food preferences, search histories, travel and shopping, banking and financial transactions, family (photos, vacations, relationships) jobs and professional work, political views, and educational qualifications.

Advertisment

‘Data is the new oil for businesses’ and ‘Data is the ultimate power.

We often ignore the human being at the center of all of this data. As consumers, users, individuals we have absolutely no say in the type, quantum, frequency, and nature of data being collected, aggregated, sorted, filtered, diced, and used.

How does one protect oneself from becoming nothing but a pure number or value or a part of a superset of preferences and then targeted for promotions of products from cosmetics to financial instruments?

Advertisment

In most cases, individuals whose lives have come to depend more and more on ‘digital platforms’ – be it shopping or learning (education), entertainment, or banking – have no control over their personal information and data that is ‘sucked out of them and their devices. And how they are monitored by algorithms of large Tech Companies.

In this context, the DP Bill tries to reset the ‘imbalance’, at least to an extent. Other countries that have adopted similar laws are the European Union (the General Data Protection Rules (GDPR)), several states in the US like California (the California Consumer Protection Act, 2018), Canada (Personal Information Protection Act, 2000), Japan (Act on Protection of Personal Information), Singapore (PDPA) and many more.

Here is a quick rundown on how it impacts every business and why every organization needs to pay attention.

Advertisment

Requirements from Indian Businesses / Corporates

India’s DPB requires every business – big or small – to amend their business practices, bringing back the focus on the individual. Here is the key set of requirements for every business to gear up for:

  • Collect only what you need to provide a particular product or service – and nothing more. Section 6 of PDPB and Article 5(1)(b) of GDPR
  • So, no more forcing the individual to “tell me what car you own” while, say, buying a magazine subscription.
  • Have a clear purpose for every bit of personal data you collect and use that data only for that purpose. Section 5 of PDPB and Article 5(1)(b) of GDPR
  • So, no more of routinely using data an individual has given you while purchasing Product A to send her mailers about Product B.
  • Get the individual’s consent for the purposes you plan to use her data for and give her the freedom to make a choice where possible. Section 5(b) and Section 11 of PDPB, Article 6(1)(a), Article 7, Article 8 and Article 9(2)(a) of GDPR
  • So, no more of a default assumed ‘Yes’ to ‘you can share all the data you collect about me when I use your mobile app with advertisers and data brokers as you wish.
  • Delete the data as soon as it has served its purpose. Section 9 of PDPB, Section 20(1)(a), Article 17(1)(a) of GDPR
  • Get ready to cater to several rights that she can call upon you to exercise at will. Some of these are: Section 17 to Section 21 PDPB, Article 12 to 23 of GDPR
  • ‘Could you confirm to me if you have any of my data in your custody?’
  • She doesn’t even have to be your current/past customer to demand this from you.
  • ‘Could you give me a copy of all my data lying with you?’
  • This includes data that you have may collect directly from her, or by observing her while she visited your website or outlet, or data generated about her as part of your operations (like an account statement), or even data about her that you may have procured from other entities.
  • ‘Could you give me a list of all other entities you have shared my data with?’
  • This includes all your vendors, marketing partners, and even those entities whose plug-ins you have in your website or app.
  • ‘Could you stop processing or disclosing my data to others?’
  • This could be for specific types of activities (like, say, not tracking or profiling her) or for all activities, if she is no longer your active customer.
  • ‘Could you erase all the data you have about me?’
  • This includes data in your custody as well as what you may have shared with others.
  • Ensure the security of the data in your custody. Section 24 PDPB, Section 28(1)(b), Section 29(2)(d), Section 50 (6)(l), Section 63(4)(f), Section 64- explanation, and Section 87(2)(ob) of IT Act, 2000 and Article 5(1)(f), Article 32, Article 40 of GDPR,
  • And if any data is leaked, lost, stolen, damaged, etc - deliberately or by mistake – you will need to notify the Data Protection Authority (the regulator) within 72 hours who, in turn, may require you to notify the affected individual too.
Advertisment

For serious offences/ non-compliances, the fines can be upto Rs. 15 Crores / or 4% of global turnover while for others they can be upto Rs. 5 Crores / 2% of global turnover. The 4% & 2% of Global Turnover is exactly like it is in the GDPR.

Other key points from the bill are of direct relevance to a business. How Personal Data has been defined and categorized:

  • It includes any data that can identify an individual – directly or indirectly. So, data like IP Addresses, data collected via Mobile App Permissions, data collected via cookies & trackers on websites, etc., are all considered Personal Data.
  • Some Personal Data like health data, biometrics, financial data, transgender status, caste, etc., is categorized as ‘Sensitive Personal Data’.
  • There are extra curbs and controls around how Sensitive Personal Data needs to be treated by an organization. Also, if this data is sent outside India, a copy needs to be retained in India.
  • Some Personal Data may be categorized as ‘Critical Personal Data’. While the data under this is yet to be defined by the government, it would contain data that is of national importance.
  • Such data cannot be sent outside India - except under certain very special circumstances Section 33 and 34 of PDPB, Article 45 and 46 of GDPR
Advertisment

This Bill applies to businesses outside India as well - who sell to Indians or who track and profile Indians who are online. This extra-territorial aspect is similar in approach to the GDPR. Section 2 PDPB and Article 3 of GDPR. Businesses focused on Children or who process a lot of Children’s data have special caveats. For eg, you cannot do targeted advertising towards children or track/profile/do a behavioral analysis of children. Section 16 of PDPB and Article 8 of GDPR

Certain businesses that process large volumes of personal data or their nature of business is such that it can have an impact on a large number of individuals or are otherwise considered risky are being categorized as ‘Significant Data Fiduciaries’, requiring them to put a whole lot of extra controls and processes in place.

There are a host of obligations that businesses have to carry out. These include:

  • Adopting several accountability & transparency

measures like putting up a detailed Privacy Notice on websites, adopting a Privacy by Design Policy, maintaining various records pertaining to processing activities, demonstrating the fairness of algorithms deployed, carrying out Data Protection Impact Assessments, etc.

  • Designating a senior person as a Data Protection Officer (DPO).
  • Carrying out Data Audits and getting a Data Trust Score – to be displayed in the privacy Notice - for certain types of Organizations.

What if you don’t do any of this?

Well, the penalties are steep. This is in keeping with where the world is headed on Penalties for Privacy Infringements, a trend started by GDPR. Section 57 to 65 for PDPB and Article 83, 84 of GDPR.

For serious offenses/ non-compliances, the fines can be up to Rs. 15 Crores / or 4% of global turnover while for others they can be up to Rs. 5 Crores / 2% of global turnover. The 4% & 2% of Global Turnover is exactly like it is in the GDPR.

Besides, there are criminal liabilities associated with re-identifying de-identified data. Plus there are a host of ‘smaller’ offenses inviting lesser fines and penalties.

How much time do you have for compliance?

You will get 2 years from the date of notification of the Law (remember – this is just a bill. It is yet to be passed in Parliament for it to become a law). However, remember that actually translating all of the above into organizational realities takes a LONG TIME – years, not months. Looking at how organizations in other countries have fared gives us a fair indication of this. For eg, the GDPR in the EU was passed in 2016, came into effect in 2018 and organizations are still trying to comply.

Nadkarni is Co-Founder & CEO, Arrka    

Advertisment