The Personal Data Protection Bill, 2019 comes an inch closer to become an act when the Minister of Electronics and Information Technology, Mr Ravi Shankar Prasad introduced it in Lok Sabha on December 11, 2019. The bill is proposed to protect the personal data of individuals which pertains to characteristics, traits or attributes of identity. The bill also categorise personal data as sensitive personal data and critical data. The sensitive personal data includes financial data, biometric data, caste, religious or political beliefs etc and the critical data is not defined yet. The bill also establishes a Data Protection Authority to act against those who will not abide by it. 

The bill restricts the processing of personal data by government, private companies and foreign companies dealing with personal data in India. However, the central government can exempt the restrictions for its agencies in order to maintain security of the state, public order, sovereignty and integrity of India and friendly relations with foreign states. 

All the companies must comply with security safeguards such as data encryption and preventing misuse of data. If anyone violates the bill, a fine of Rs 15 crore or 4% of the annual turnover whichever is higher will be imposed. Also, failure to audit the data is punishable with a fine of five crore rupees or 2% of the annual turnover, whichever is higher. 

Pavan Duggal, senior advocate and cyber law expert, said, “Data Protection Bill is India’s first foray in the data protection. Till now India does not have a dedicated law on data protection, consequently, we have only being realigned upon Information technology (IT) act, which is not a data protection law. This law will have an impact on all the businesses running in the market if the businesses are dealing with sensitive personal data, which means all the businesses today run on financial data. Financial data is sensitive personal data. So all the businesses will have to now be prepared for new complices like appropriate documents, policies, audits and security measures which will take money, time, effort and energy. Every company need to have a different kind of data protection department. The businesses like banking, finance, insurance, health, critical information infrastructure etc will be most affected by the new bill. There are some loopholes in the law as well as the law does not define what is critical personal data, also the law gives very deficient approach to data localisation and also there are conflicts between this act and IT act.”

A statement by the Internet and Mobile Association of India [IAMAI] named as “Critical Concerns Persist in Personal Data Protection Bill, 2019” published on 12 December 2019 said, “The association stated that the Personal Data Protection Bill, 2019 (PDP) in its current form compromises on privacy of Indian citizens as it has built-in far too many exceptions for Government agencies to access personal information of the citizens.” 

The statement added that the Bill under deliberation suggests stringent procedures that risk the functioning of businesses, which in turn is a matter of concern for industry at large and also the enormity of the suggested provision raises concerns over capacity building for the entire exercise, as some of the provisions can be restrictive for service providers and may not be supportive of India’s target of a USD 1 trillion economy by 2024. 

The statement stressed that the Bill mandates all businesses collecting personal data to have a ‘Privacy by Design’ policy in lines with the requirements by the Data Protection Authority (DPA) and get a certification from the DPA in order to do business in India. It will create a restrictive Certification and Licensing regime for businesses to operate in India, so a certification and licensing regime risks delaying service provision and may prove to be a major handicap for the Indian tech start-ups that are currently in a race with the rest of the world in innovation, the statement added. 

The statement said that “The Bill now allows provisions for the Central Government to seek anonymized and non-personal data from any data fiduciary via the DPA. This, along with the fact that insights derived from personal data is also considered as personal data, raises issues of undermining Intellectual Property Rights of businesses engaged in data services.”

A technical expert on the condition of anonymity said, “The private companies will have to change a lot of things starting from making technical changes. They have to change their complete architecture which includes encryption, servers if they are in another country. Suppose an Indian company has the servers in the US, so it must comply with the rules of US, now after the law, these servers need to be installed in India, and we have to look at the cost of Indian servers which can be higher than that of US, and reliability of the service will also be compromised. The technical security safeguards are also needed, so the encryption cost will be added. Also, the companies have to undergo an additional cost of periodic security audits and they have to appoint data protection officers. Some companies have to include a completely new department for data protection. We saw after the General Data Protection Regulation (GDPR), Microsoft spent a huge amount of money to make a new architecture and also they have to employ 300 more engineers. Microsoft has the capacity of spending that much, but the case is totally opposite in India. The small companies which only runs on a small revenue can be impacted a lot as they can not afford such a thing. Failure of abiding by the rules can result in a heavy penalty as well as the criminal sanctions that is not the case in GDPR.”

The National Association of Software and Services Companies (NASSCOM) and Data Security Council of India (DSCI) submitted their joint feedback in a letter to the Ministry of Electronics and Information Technology on PDP and seek more clarity on the bill.  

The letter said’ “The provisions restricting the cross-border flow of personal data are particularly concerning as these mandate localisation of all personal data and provide wide discretion for classifying personal data as critical data required to be stored only in India. We believe that localisation generally does not address the objectives of data security and privacy. Mandating data localisation would undermine the competitiveness of Indian start-ups, SMEs, e-commerce firms, FinTech and other technology-driven firms. With data localisation, India would become a less attractive destination for start-ups based outside of India.”

“In order to design a consistent and proportionate regulatory framework, there is a need to develop conceptual clarity over personal data, sensitive personal data (SPD) and critical personal data. From an IT, BPM exports perspective, the current draft of the Bill neither provides certainty around actual exemptions which are necessary from the date the law comes into force nor addresses concern that possible future exemptions might reduce the protection available in this Bill to data of persons in foreign jurisdiction being processed in India. The industry could potentially get just six months to be operationally geared up for the law as there will be a lot changes a company needs to make in their software, encryptions etc.,” the letter added. 

Naavi Vijayshankar, cybersecurity expert, Technolegent Information Security (the company deals in the security of data), said, "Basically whichever company is collecting the personal data of the public, they need to be compliant with this act but there is an exemption for small companies which do only manual processing but all others have to compliant with the law. Basically what it means is, before collecting the information, they should give notice to the people that I am collecting this information and obtain consent from the person. After collecting it, they should secure it. So if a particular company is using the particular person's data, they have to improve their security, they have to do some changes in their way of collection, so that is required. All this is not new, it is already there in IT act, the only difference is now there is a new regulator and the regulator is going to watch what is being done, while in earlier regulation, only after the crime happens, then only some action would be initiated, now there will be a continuous monitoring. It will not hugely impact on the companies, but if you are collecting a huge number of data and you did not do anything for the security of that data, the impact will be huge. If you take big companies like Infosys, Wipro etc, they will not find any difference as they are already doing it, only some minor changes and they will be good to go."

However, some experts also welcomed the move and said it is a very good move. Ruchita Puri, President, Asia Europe Foundation, said, “The PDP will have an impact on the businesses in India, but the companies will have more checks in place in handling people’s data. If you are handling people’s personal data, then the protection will be required more. It is not much difficult though, the companies just need to change their practices of sharing the personal data of people without their consent. In India, we see a mass sharing of the contact details and we receive a lot of messages from the companies. It does not require a lot of finance, it mainly requires a change in the behaviour. If it a small player, then there must not be a bulk of data they are dealing with, so they can manage and afford that easily. It is a matter of some coding only. People get concerned because they think a lot needs to be done, but a little awareness can do the work, and I think they are unaware of the simplicity of it. The more you do it, the more people will trust you, your reputation actually increases and the rest of the world will be interested in doing business with you because you follow those rules. It is like ISO-9001, when it was first implemented, people thought that how will we do it, but later, the companies which followed it, got more ventures. Their stocks went up. The more rules you follow, the more internationally you will be recognised. The people will love to talk to you because you keep their data safe and also they will refer you more. This is a customer-centric world nowadays, you have to take care of your customer and customer will take care of you. Whatever you are spending will come back in this way. This is a win-win situation.”