The draft Personal Data Protection Bill released by a committee chaired by former Supreme Court judge BN Srikrishna has already sent shockwaves across the industry owing to its stringency and similarity to European Union’s General Data Protection Regulation (GDPR).
While there is no undermining the efforts and consultative process undertaken in shaping up the draft legislation, it remains largely unclear if suggestions of the stakeholders were, in fact, taken into account. For example, it is difficult to imagine that the majority of stakeholders would have advocated storage of a copy of personal data in India and imposing severe penalties for breaches, which are burdensome.
Without going into the intricacies, we wish to highlight a few broad aspects of the Bill and the challenges India may face in adaptability. This article intends to provide a snapshot of the broader issues and their potential impact on the Indian industry in the immediate future. We will delve deeper into other aspects in the second part of our article.
Time frames: Are they flexible?
The Bill provides for various stages in which the law and its provisions will come into force. On a closer look, it appears to be a matter of concern for an industry largely unprepared and oblivious to the data-protection framework. Notably, the present data-protection framework in India has been in a nascent stage for a very long time, imposing very few requirements on the industry. The Bill is nothing short of overwhelming for the Indian business. It is suggestive of a complete and significant overhaul of the policies and systems that each small and big player will have to undertake. Practically, changes of such nature and on such a scale will be required to be done in a phased manner and, importantly, with step-by-step guidance from government and authorities. It is difficult to imagine that a cut-off date will be sufficient to bring about the desired change.
Understandably, no supervision in phased or gradual implementation has led to confusion and chaos and one does not need to look too far back in history to appreciate this. It assumes more importance for a draft legislation of this magnitude, which is likely to affect all sectors of the economy.
What was required to be done or rather, what can still be done, is to make time frames flexible for all businesses, with proper implementation strategies for next steps. Unfortunately, the practical aspects largely remain overlooked in the Bill. With more balanced time frames and flexible approach and guidance on numerous aspects, the businesses would have better understanding of the best practices and policies to be adopted.
As things stand, no doubt companies will have to commence work on a war footing to be able to comply with the upcoming law and start work on revamping systems and practices.
Undeniably, the Bill is largely inspired by GDPR. It is important to bear in mind that India has never had a comprehensive data-protection framework. It is possible that stakeholders may not have adequate knowledge, experience and awareness pertaining to data protection and its practices. So far, companies have faced very few legal requirements in this regard.
Unlike India, the European Union has had evolved and robust data-protection legislation and framework for several years. Therefore, compliance with GDPR would not have come across as an uphill task.
However, in India, it is a complete overhaul for the industry, where businesses are required to migrate to or comply with a data-protection law modelled on GDPR. By no means it appears to be a simple transition to a new legal regime and, hence, the way forward will not be easy. Moreover, the stringent penalties under the Bill ensure that there is no leeway or relaxation for companies.
The silver lining
The Bill has certainly introduced concepts that were, so far, absent from the Indian legal framework. On the contrary, this entails that the industry has to embark on making itself compliant. Another common criticism is that the Bill fails to take the Indian economic and social landscape into account. It is hoped that the ongoing consultative process plugs the gaps and takes a more hands-on approach while formulating the final law.
This is the third of a five-part series that analyses the draft Personal Data Protection Bill.
Harsh Walia is an associate partner at law firm Khaitan & Co. based in Delhi. Views are his own.