India’s Personal Data Protection Bill – How does it affect YOU

Why is the bill such a big deal?

– by Shivangi Nadkarni, Co-Founder & CEO – Arrka

The much awaited Indian Personal Data Protection Bill was released by the Shrikrishna Commission yesterday. How is this of any relevance to YOU? You – the Savvy ‘Digital’ Indian, the user of smart phones, apps and social media, the one who does almost everything online? Read on to know how the road ahead had just gotten a lot more optimistic for YOU….

Some background : If you recollect, last year, the Supreme Court of India ruled that Privacy is a Fundamental Right. This bill helps translate this right into tangible action in the context of Information or Data Privacy. The bill is now out for public comments. Based on inputs gathered and various debates that are sure to emerge, many amendments would be made. Finally, it should find its way to Parliament to translate into a law. However, no matter what the ultimate version of the bill that gets passed, certain realities are here to stay and won’t change.

At the core of this bill is the fact that it clearly makes YOU – the individual – the OWNER of YOUR Personal Data. Does this come as a surprise to you? You probably assumed this has always been the case, right? Well..you were wrong. Till date, whichever entity took your data was considered the owner of the data. Now, the ownership would be back with you. In fact, the bill calls you the ‘DATA PRINCIPAL’. So now whichever entity gets hold of your personal data holds it only in a ‘fiduciary’ relationship. Which means the entity shall hold your data in ‘good faith and trust and responsibility and act in your best interests’.

Personal Data itself is defined as any data that can make you ‘IDENTIFIABLE’ – either directly or indirectly. Which means it is not only your demographic/financial/ health data but also data like your IP address, location data, the meta-data that gets tagged to your emails, your mobile device identifier, etc. In short – all elements of your digital self that are today used to identify you, track you, build your profile and, subsequently, to influence you.

Incidentally, this bill applies to entities even outside India who may be selling something to you or just tracking & profiling you. It is not just Indian entities who would come under the ambit. Secondly, this applies to the Indian government as well – not just corporates.

So, as the ownerof your personal data, what are going to be your prerogatives? Some key ones are summarized below:

• Your data can be collected from you (either directly or via someone else) only after the entity tells you WHY it is collecting it (the purpose). And they can USE it only for that purpose and not for anything else. So, for eg, a company or government department cannot collect data from you saying it is for providing you a particular service – and then proceed to sell it to some marketer without telling you.
• WHAT data they collect has to be only to the extent needed to meet the purpose they have told you about. Which means soon gone will be the days when you walked into a store to buy a pair of shoes and they asked you for your mobile number and address… and if you asked them why they needed your mobile number, the answer typically would be ‘the (billing) system needs it, Maa’m’. Stores cannot get away with such stuff anymore.
• The entity would have to tell you all this CLEARLY and in language that you can understand – not tuck it away in the midst of fine print or legalese which you never read. Plus they need to get your CONSENT to this. By the way, you can withdraw this consent at any point in time that you wish to. Of course, if this in the middle of a service you are enjoying from the entity, then they can stop providing you the service.
• Further, this data that is collected cannot be retained forever. As soon as the purpose for which it was collected is fulfilled, it has to be deleted – unless it is specifically required to be retained for some legal purpose.
That’s not all…you will now enjoy some rights too:

• Right to know if any data about you is there with a particular entity or not

-if yes,
– what is this data
– is it correct and up-to-date.If not, you can correct it

• Therefore, guessing games can be put to rest and you can actually ask companies to confirm if they have your data

• Right to be forgotten

-Which means if you want some entity who may have your data in their records to erase it completely, they
would need to do so (as long as it doesn’t affect the service/product they are offering you)
– Further, they would need to ensure it is deleted from the records of all other entities they may have shared
it with in the past
– In short, you have a right to be ‘forgotten’ by this entity in all respects

• Right to data portability

– Gives you the freedom and power to easily migrate between different entities without having to worry about
the pain of migrating all your data as part of the process
-Of course, there are legitimate exceptions to each of the above – but they are for specific cases which are
mostly to do with law & order situations or others logical reasons.

In today’s day and age – where cyberattacks happen regularly and data gets stolen or leaked out – an entity that has your data would be required to inform you of a data breach if your data is amongst the affected cases and the breach is likely to cause harm to you. This is a big step forward from the current situation where no entity in India is obliged to inform you if your data has been compromised.

You will have the facility to file complaints on anything to do with your personal data with a grievance officer that the entity would be required to appoint. So, we can soon bid good-bye to the days when you wonder where to complain and whether at all your complaint would be heard in the first place. If you don’t get a response, you can escalate it to the Data Protection Authority that is being set up under this Bill.

While all this seems like a dream, your cynical self is likely to ask “Why would any entity bother about complying with this law?” After all, we have so many laws in place that nobody seems to really bother about.Well, there is good reason to hope this law will be taken seriously – simply because the fines for not complying are fairly steep. They can be upto Rs. 15 Crore or 4% of global turnover or Rs. 5 crore or 2% of global turnover of an entity– depending on what kind of violation has been done. What’s more, there is also imprisonment mentioned for certain types of violations.

Of course, the bill covers many other areas and has a whole lot of other provisions and clauses for entities to comply with. This note isn’t getting into that.

Let us now wait and watch how this develops. Remember – India is the second largest digital market in the world and the fastest growing. Hence the pressure is significantly high to have a Data Protection Law in place.

The bill and the accompanying report of the Shrikrishna Commission is available at: http://meity.gov.in/data-protection-framework

comments & feedback welcome at privacy@arrka.com