If the hints we’re receiving are to be believed, India is about to get a new Personal Data Protection Bill.
This will be our country’s first piece of legislation specifically to protect the privacy and security of people online, and it might come this winter session.
Apparently the Parliament is looking at taking up the discussion of this bill in the current session of parliament, according to an IT ministry official that spoke to PTI. It might also include hefty penalties for entities that exploit a user’s data without explicit consent from them. So here are some things we hope they keep in mind.
Storing Indians’ personal data
There is a rough draft of the Personal Data Protection Bill, based on the recommendations of the government-constituted panel headed by former Supreme Court judge Justice B N Srikrishna. It supposedly restricts customer data of Indians to only be stored locally, and imposes conditions on its cross-border transfer. The draft also suggests setting up a Data Protection Authority of India to police cases relating to this.
So far, this hasn’t included any mentions of mandating that companies specify what data is collected and how, the way it is with Europe’s GDPR. We can only hope it is included in the plans, because otherwise there’s a big loophole with how customers are expected to provide consent. Additionally, it remains to be seen how the non-transference of user data affects international apps like Facebook and Twitter.
Penalties for violation
The draft also reportedly details a penalty of Rs 15 crore, or 4 percent of a company’s total worldwide turnover, for violating the provisions of the bill. The former is a penalty threshold that makes sense locally, however the latter will more likely be applied to global corporations. And that’s a number pulled straight from GDPR’s description of penalties, which is a great idea. In fact, it might be on the low side.
Right to be forgotten
Based on comments from experts, the new bill is supposed to allow a person complete control over their data. And as we mentioned, it talks about companies gaining explicit consent from a user before harvesting their data. However, there’s been no talk thus far about something that’s been a big part of GDPR, the right to be forgotten. This means that, if at any time a person changes their mind about a company having their data, they should be able to revoke access. After all, you don’t want a company like Facebook retaining your data after you’ve deleted your account.
Maybe this is a topic that will come up in parliament, but we don’t have high hopes. After all, it took till 2018 for us to even start thinking about making this kind of data protection bill. And if it is included, we also hope it has a similar one month maximum time frame for a corporation to reply to an erasure request.
Notification in case of breaches
Another major problem with India’s digital laws is we have nothing to protect users from hacks. If a company is hacked, there’s currently no mandate forcing them to disclose the breach to their customers. Basically, if hackers get to the personal data of any Indian company and no one finds out, they’re currently under no obligation to let you know.
Only banks and stock exchanges are legally mandated to report breaches, and even that doesn’t involve notifying customers. The only people they’re really forced to tell are the RBI and India’s Computer Emergency Response Team (CERT).
Hopefully then the bill follows the draft, which suggests a fine of up to Rs 5 crore or two percent of a company’s annual turnover, whichever is higher, in the case of an undisclosed breach.
Restrictions on local law enforcement
Currently, the draft reads that “The Bill provides that right to privacy is a fundamental right and it is necessary to protect personal data as an essential facet of informational privacy.” However, it’s not yet been stated whether the government has any intention of protecting people’s personal data from law enforcement. And given past incidents, it’s likely they’re not.
It’s not that police and investigating authorities shouldn’t be granted access to personal data, obviously they’d need access in certain investigations, however that can be very easily abused without any oversight.
It’s a fight that’s still playing out in the US, with organisations like the FBI constantly haranguing companies like Apple to break their encryption so they can access user data as and when required. That’s a massive breach of privacy though, and should be covered by the laws that supposedly exist to protect from that.
It should be necessary for law enforcement to request access to that kind of data on a case-by-case basis, and the oversight committee judging these quests to be unaffiliated with the government and not under its control. That way there’s a clear trail in case of any accusations of abuse, not to mention proper oversight.
But the time for invited comments and drafts are over. Now it’s finally the moment for parliament to put up or shut up. It’s time for the blokes that made a big show of summoning Mark Zuckerberg in the wake of the Cambridge Analytica scandal to actually get down to drafting a privacy law we can all get behind. Because if they don’t, it’s a clear indication of just how much they care more about their pockets than your privacy.