Personal Data Protection Bill: Work in progress but enough reasons for optimism

The much-awaited Personal Data Protection Bill was released by the Justice BN Srikrishna committee last week. How is this of any relevance to you – the savvy ‘digital’ Indian, the user of smartphones, apps and social media, the one who does almost everything online?

Here's how the road ahead has just gotten a lot more optimistic for you.

Last year, the Supreme Court of India ruled that privacy is a fundamental right. This bill helps translate this right into tangible action in the context of information or data privacy.

The bill is now out for public comments. Based on inputs gathered and various debates that are sure to emerge, many amendments would be made. Finally, it should find its way to Parliament to translate into a law. However, no matter what the ultimate version of the bill that gets passed, certain realities are here to stay and won’t change.

At the core of this bill is the fact that it clearly makes you – the individual – the owner of your personal data. Does this come as a surprise to you? You probably assumed this has always been the case, right? Well, you were wrong. Till date, whichever entity took your data was considered the owner of the data. Now, the ownership would be back with you.

In fact, the bill calls you the ‘data principal’. So now whichever entity gets hold of your personal data holds it only in a ‘fiduciary’ relationship. This means the entity shall hold your data in ‘good faith and trust and responsibility and act in your best interests’.

Personal data is defined as any data that can make you ‘identifiable’ – either directly or indirectly.

This means it is not only your demographic, financial or health data but also data like your IP address, location data, the meta-data that gets tagged to your emails, your mobile device identifier, etc. In short, all elements of your digital self that are today used to identify you, track you, build your profile and, subsequently, to influence you.

Incidentally, this bill applies to entities even outside India who may be selling something to you or just tracking and profiling you. It is not just Indian entities who would come under the ambit.

Secondly, this applies to the Indian government as well – not just companies.

So, as the owner of your personal data, what are going to be your prerogatives? Some key ones are summarized below:

• Your data can be collected from you (either directly or via someone else) only after the entity tells you why it is collecting it (the purpose). And they can use it only for that purpose and not for anything else. For example, a company or government department cannot collect data from you saying it is for providing you a particular service – and then proceed to sell it to some marketer without telling you.
• What data they collect has to be only to the extent needed to meet the purpose they have told you about. This means gone will be the days when you walked into a store to buy a pair of shoes and they asked you for your mobile number and address, and if you asked them why they needed your mobile number, the answer typically would be ‘the (billing) system needs it, Maa’m’. Stores cannot get away with such stuff anymore.
• The entity would have to tell you all this clearly and in a language you can understand – not tuck it away in the midst of fine print or legalese which you never read. Plus, they need to get your consent to this. By the way, you can withdraw this consent at any point in time that you wish to. Of course, if this in the middle of a service you are enjoying from the entity, then they can stop providing you the service.
• Further, the data that is collected cannot be retained forever. As soon as the purpose for which it was collected is fulfilled, it has to be deleted – unless it is specifically required to be retained for some legal purpose.
  That’s not all. You will now enjoy some rights too:
• Right to know if any data about you is there with a particular entity or not
• If yes,
• What is this data.
• Is it correct and up-to-date. If not, you can correct it.
• Therefore, guessing games can be put to rest and you can actually ask companies to confirm if they have your data.
• Right to be forgotten
• This means if you want some entity who may have your data in their records to erase it completely, they would need to do so (as long as it doesn’t affect the service/product they are offering you).
• Further, they would need to ensure it is deleted from the records of all other entities they may have shared it with in the past.
• In short, you have a right to be ‘forgotten’ by this entity in all respects.
• Right to data portability
• This gives you the freedom and power to easily migrate between different entities without having to worry about the pain of migrating all your data as part of the process.

Of course, there are legitimate exceptions to each of the above – but they are for specific cases which are mostly to do with law and order situations or others logical reasons.

In today’s day and age – where cyberattacks happen regularly and data gets stolen or leaked out – an entity that has your data would be required to inform you of a data breach if your data is amongst the affected cases and the breach is likely to cause harm to you. This is a big step forward from the current situation where no entity in India is obliged to inform you if your data has been compromised.

You will have the facility to file complaints on anything to do with your personal data with a grievance officer that the entity would be required to appoint. So, we can soon bid goodbye to the days when you wonder where to complain and whether at all your complaint would be heard in the first place.

If you don’t get a response, you can escalate it to the Data Protection Authority that is proposed to be set up under this Bill.

While all this seems like a dream, your cynical self is likely to ask “Why would any entity bother about complying with this law?” After all, we have so many laws in place that nobody seems to really bother about. Well, there is good reason to hope this law will be taken seriously – simply because the fines for not complying are fairly steep. They can be up to Rs 15 crore, or 4% of the global turnover, or Rs 5 crore, or 2% of the global turnover, of an entity– depending on what kind of violation has been done. What’s more, there is also imprisonment mentioned for certain types of violations.

Of course, the bill covers many other areas and has a whole lot of other provisions and clauses for entities to comply with.

Let us now wait and watch how this develops. India is the second-largest digital market in the world and the fastest-growing. Hence, the pressure is significantly high to have a data protection law in place.

Shivangi Nadkarni is co-founder and CEO at data advisory and consulting firm Arrka Consulting.

Shivangi Nadkarni