Anticipation for India’s New Data Protection Bill​

As India’s digital economy and internet ecosystem continue to grow, it is crucial to establish a comprehensive data protection framework to ensure the accountability of companies that handle personal data. Without such a law in place, these companies cannot be held responsible in the event of a data breach or similar situation. Therefore, there is a pressing need for consensus and collective action towards creating effective data protection legislation. The Indian government has been working on a new data protection bill, which has been in the making for several years. The bill, which is expected to be introduced in Parliament soon, Anticipation Indian bill is aimed at protecting the privacy of individuals and ensuring that their personal data is not misused. This blog outlines the history of the bill, its consequences, outcome and findings by Tsaaro Consulting on the Anticipation Indian bill. 

The History of Bill 

The increasing number of internet users and the widespread use of technology led to the generation of a large amount of personal data. Social media and e-commerce companies gathered this data without individuals’ consent and accountability, leading to concerns over privacy breaches.

In response to the increasing Data Privacy issues, a committee was formed in 2012 to outline core areas of data privacy protection, including accountability, collection and purpose limitation, security, confidentiality, the gathering of consent, access to data and correction, and notice by investigating authorities. This increased use of Aadhar generated a lot of concern among multiple people. Several petitions were filed in the Supreme Court flagging the alleged threats to privacy due to data breaches, etc. This debate led the Supreme Court to form a nine-judge bench to decide whether the right to privacy is a fundamental right. The Supreme Court answered in the affirmative, and in the case of K.S. Puttaswamy v. Union of India, it was held that the right to privacy is a fundamental right.

Following the Puttaswamy judgment, a committee was created under the chairmanship of Justice (Retd.) B.N. Srikrishna in August 2017 to examine issues related to data protection recommend methods to address them, and draft a data protection Bill. On July 27, 2018, the committee presented its report and a draft bill to the Ministry of Electronics and Information Technology. Later, In December 2019, The Personal Data Protection Bill 2019 was introduced in the Rajya Sabha prescribing compliance requirements for personal data, expanding individuals’ rights, introducing a central data protection regulator, instituting data localization requirements, and imposing monetary penalties for non-compliance. The bill was sent for review to the Joint Committee of Parliament (JPC) in 2019, which proposed 81 amendments and 12 recommendations that changed the bill’s mandate.

However, the government withdrew the draft personal data protection bill from the parliament, and the fate of the DPB is uncertain. The Ministry of Electronics and Information Technology comments that the IT Act could be revised to accommodate the country’s evolving technology landscape.

Key Concerns in the Bill 

The draft data protection bill proposed by the Indian government raised concerns for several reasons, including issues related to 

• Data localization 
• Law enforcement access to data
• Weak oversight.

1. Data localization refers to the requirement that personal data be stored on servers or data centres located within the Indian territory. The bill allowed the government to exempt specific categories of personal data from this requirement and also declared certain data types as “critical” that must be stored only in India. This requirement was criticized by tech companies as it required them to create a new infrastructure for storing data in India, even if they did not have a physical presence there. Moreover, there was no clear definition of what constituted “critical and sensitive data” in the bill.
2. The law enforcement access to data provision allowed the government to access all personal data for the purpose of state security and to prevent, detect, investigate, and prosecute offences or other contraventions of the law. However, weak safeguards against state surveillance in India posed a significant threat to privacy. The legal framework for government surveillance lacked court orders, third-party review, or any requirement to notify the subject of surveillance, falling short of international human rights standards.
3. The draft bill also had weak oversight mechanisms. The central government had significant control over the regulatory regime and the power to appoint members of the data protection authority upon the recommendation of an outside committee. The bill required that authority members have specialized knowledge and at least ten years of professional experience in fields related to data protection, information technology, data management, data science, data security, cyber, and internet laws. However, the small pool of experts in India fitting that description could result in a revolving door between regulators and data fiduciaries being regulated, undermining the authority’s independence.

These issues raised significant concerns about the draft data protection bill proposed by the Indian government, prompting industry associations to write to the Minister of Electronics and IT.

The Outcome 

The Indian government proposed a data protection bill that required companies to store personal data in India, which raised concerns about privacy and government access to data. Some companies supported the bill, saying it would help with law enforcement access and increase the Indian government’s ability to tax internet giants. However, civil society groups criticized the open-ended exceptions for government surveillance and the possibility that encryption keys could still be out of reach of national agencies. Technology giants and their industry bodies opposed the bill, fearing a fragmented internet and protectionist policies that could harm young startups and larger firms that process foreign data in India. In the end, the bill was withdrawn due to backlash and the need for improvement.

Tsaaro Consulting’s Findings : 

The Tsaaro Consulting Survey Insight provides about the anticipation of India’s new Data Protection Bill. The survey was conducted in November 2019 and recorded responses from 500 Indian enterprise leaders throughout one-of-a-kind sectors.

One of the main findings of the survey was that a majority of Indian companies were involved approximately the effect of the privacy protection regulation on their operations. Nearly 70% of the respondents believed that the new regulation would boom their compliance charges, even as 62% were concerned about the impact on their business models. These concerns were specifically pronounced amongst smaller agencies.

Another key locating become that many Indian corporations had been not fully organized for the brand-new regulation. Around 40 % of the respondents had not taken any steps to prepare for the upcoming law, while only 14% had finished their arrangements. The last 46% have been still inside the procedure of having equipped.

Interestingly, the survey additionally discovered that many Indian companies saw the new privacy law as a possibility to distinguish themselves from their competition. Around 62 % of the respondents believed that compliance with the new privacy law would enhance their reputation and give them a competitive advantage.

Overall, the Tsaaro Consulting Survey Insight offers insights into the expectations and issues of Indian agencies concerning the new Indian data privacy law. The survey suggests that while there’s full-size apprehension about the impact of the law, there may be also an opportunity for groups to use compliance as a way to stand out in a crowded market.