In May of 2018, the European Union implemented the General Data Protection Regulation (GDPR). It was meant to strengthen privacy protections and create more regulations for organizations to follow. A few months ago, India proposed a similar framework that would require technology companies to get permission from individuals before collecting and mining their personal data.
According to the Harvard Business Review, India’s Personal Data Protection Bill (DPB) requires a digital company to have explicit permission from users before collecting their personal data. This isn’t a box that users check once without reading what they’re agreeing to; permission must be obtained at each stage of data processing, so users can update their stance on data collection. If a user decides they no longer want to be a Facebook user, they can request to have all of their history deleted, which can create a challenge for all the companies who interact with Facebook’s third-party data.
The India Data Protection Act has an additional provision as a nation state — it plans to treat its citizen-generated data as a national asset, and it reserves the right to use the data to safeguard its strategic initiatives, according to the Harvard Business Review. Treating data as a national asset is one of the key differentiators of GDPR versus DPB. In GDPR, there is no provision for location storage requirements or special access to data that’s related to national interests. If India weighs data preference based on political demands, it could create a complex environment for organizations to navigate. Because India is such a populous place, these regulations could have a global impact.
Overview of the Proposed Bill
The proposed Personal Data Protection Act (PDPA) will change the way companies handle their customers’ personal data. The bill encompasses financial details, biometric data, caste and other personal information and protects it from unauthorized use or access. In the bill, a recommendation is made to establish a Data Protection Authority to manage compliance and repercussions for organizations that aren’t abiding by the new regulations.
Since the bill is in its development phase, there are no clear consequences laid out for organizations who ignore established regulations. Some proposed fines include 5,000 rupees (approximately $65) for each day organizations fail to comply with requests made by data principles. If such default continues, they will be subject to a maximum of 10 lakh rupees (slightly more than $13,000) in case of significant data fiduciaries and five lakh rupees (about $6,600) in other cases, according to Deloitte. Another proposed penalty for noncompliance is a $700,000 fine or 2% of a company’s global revenue, whichever is higher, according to the Harvard Business Review.
If the bill becomes a law, it will impact all organizations classified as “data fiduciaries” that manage private information from e-commerce to insurance. Any business that can independently determine the purpose and means of processing the data will be forced to change its practices and be subject to new reporting requirements, according to the bill. For example, ride-sharing apps like Uber that choose to sell customer information will need to update their policies and inform their users of data collection and sharing.
Pushback Related to the Bill
In the bill, sensitive data needs to remain on servers within India’s territory and nonsensitive data can be stored internationally. What is classified as personal data? That answer is defined by the Indian government. The bill created a three-tiered structure to identify what data should be stored locally and what information can be transferred outside of India. It’s broken down into personal data which has no restrictions; sensitive personal data, which allows transfer outside of India but needs to be stored within India; and critical personal data which has the strictest limitations, according to Inside Privacy.
Because the country has 200 million internet users, many believe implementing new data practices would be too costly. Another key concern related to the bill is its impact on India’s growing digital economy. There’s also cybersecurity and national security concerns around the vulnerabilities that data localization will create. Because the bill states that data needs to be stored within the country, there’s more concern about politically motivated decisions. For example, in Russia, data localization created issues between the Russian government and western countries, according to the Lawfare Institute.
The bill also proposes to criminalize illegitimate re-identification of user data. Currently, when user information is processed at a company, there are algorithms in place that scramble sensitive identifiable information like location and medical records, mitigating the possibility that cyberattackers could gain access to this private information. Under the bill, any company that obtains re-identified information without user consent will face hefty fines and possible jail time, WIRED reports.
If the bill is approved, organizations will need to be prepared to navigate any obstacles if they wish to analyze and share information across other markets. Only time will tell.