07 Dec Indian Data Protection Law Cometh!
So, we are close to the beginning of a new chapter in privacy and data protection jurisprudence in our country. Hopefully by the next week that just happens to be Friday the 13th, we, as a country will have the first look at the Data Protection bill that is placed in the Parliament.
Recently, while attending the Annual Information Security Summit, I was buoyed by re-articulation of the fact that the Indian Personal Data Protection Bill is coming! Whether it is a ‘Kill Bill’ or not only time will tell, but be that as it may, it will be a monumental achievement for us as a country.
The Bill, which is supposed to have borrowed heavily from the GDPR and snippets from other laws such as China, has been closely monitored around the world. It will be fair to state that India is a superpower when it comes to sheer purchasing power of its citizens and the global economies know this fact. Conquer the Indian market and you have a big piece of the pie.
So what is this bill all about. It is a tale that started from way back when our Constitution declared that there is a fundamental right to life. However, it was not clear back then, whether the right to life, covered the concept of right to Privacy also. Plethora of cases, referred to this right and took positions, but none conclusively.
Dial forward in time on August 24, 2017, the Supreme Court of the country declared that Indian citizens do have the Right to Privacy. This set a chain of events cumulating to a draft bill being approved for presentation before the Parliament.
The last version of the bill that was created by the Srikrishna Committee has been in circulation since last year. Hopefully some of the points that were raised up have been settled in the current version.
Please note that while this is still to be presented and it is not known what it would look like in its present form, from what the Hon’ble IT Secretary Mr AP Sawnhey talked about the data protection bill (https://www.pscp.tv/w/1PlKQVykNNWGE?t=49m11s). It will be interesting times ahead!
Some of the salient points of the speech:
- The draft has rejected the concept of Data Controller and Data Subject and has adopted the concept of Data Principal and Data Fiduciary. So we see it as a Fiduciary relation. The Fiduciary is in a position of trust vis-à-vis the Data Principal. This is dramatically different from GDPR. It was heartening to hear that other laws have adopted this post our draft bill coming out.
- Data of other countries not covered. This concept is clarified in the bill.
- In terms of cross border flows, the law is recognising this to be an important concept as the value of the data goes up only when it flows. Data flows important for IT industry, and industries overall, globally. What needs to be balanced is how we treat critical, sensitive data. Proposition: “Critical Personal Data would be stored and processed in India with some very rare exceptions. Sensitive Personal Data would be stored and processed in India with some more possibility of exceptions where the Data Processing Authority and the concerned regulators will over a period of time come out with segments where data can be processed across borders and also jurisdictions where we are more comfortable with such a thing taking shape. And other than critical and sensitive personal data there is a wide range of Personally identifiable data but storage limitations would not be placed around that. Companies are free to store and process that here, companies are free to store and process that elsewhere. All the other duties that are there on the fiduciaries will stay. All the rights of the Data Principals will stay. The Data Principal have justiciable rights, those rights are there. In case there is any Harm that come about to a Data Principal the Data Principal always has the protection of the Indian law. OK. So storage limitation is just one small part of what happens around this entire framework and in storage limitation, the storage limitation will now be around a much smaller segment which is Critical Personal Data and Sensitive Personal Data”.(italicized portion verbatim from the speech).
- Post tabling it in the Parliament it will again be open for debate in the Parliament.
So the countdown begins, and we as a nation, as individuals, as representatives of corporate entities, as legal and privacy professionals wait with bated breath for the bill to be tabled.
Will it happen or not this winter session is the first question. If it does, will it become a law now or later in time is the next? If we clear this stage, the implementation and operationalizing this will be next stage in the evolution of data protection jurisprudence in our country.
CHEERS! Will keep you updated on the news as it upfolds on this law.