India’s data protection bill should be modified to cover more than just personal data, and impose strict deadlines on businesses to report data breaches, a parliamentary committee recommended in a long-awaited report published on 16 December, 2021.
The Joint Committee on the Personal Data Protection Bill, 2019, has spent two years examining the proposed legislation first laid before parliament on 11 December, 2019. Given the long delay — and its view that the bill should project more than just personal information — the committee recommended that resulting legislation be renamed the Data Protection Act, 2021.
The committee’s 542-page report includes 93 recommendations to legislators on the drafting of the bill, which sets out the rights of data principals (those that the data describes) and the obligations of data processors a data fiduciaries (those who hold the data).
If the bill and the committee’s recommendations become law, businesses will have new obligations to fulfil, including putting a detailed privacy notice on their website, adopting a privacy by design policy, keeping various records pertaining to data processing activities, demonstrating the fairness of algorithms deployed, and conducting data protection impact assessments, among other accountability and transparency measures.
The committee recommended that businesses processing large volumes of personal data, or whose businesses, through their nature, have the potential to affect a large number of people, or that are otherwise considered risky, be labelled “significant data fiduciaries,” requiring them to implement additional controls and procedures.
The consequences for those that don’t respect the proposed rules would be severe, to say the least. Fines for significant offenses or non-compliance would be up to ₹15 crores or 4% of worldwide turnover, while fines for a minor offence or non-compliance would be up to ₹5 crores or 2% of global turnover.
The bill also creates a host of lesser offences that would attract lower fines and penalties.
The committee recommended that the scope of the bill be enlarged beyond protection of personal data to encompass the collection and storage of non-personal data since, it said, it’s impossible to clearly distinguish between the two, and if privacy is a concern then all data must be protected.
To avoid the need for additional legislation, therefore, it proposed that the Data Protection Authority (DPA) charged with defending citizens personal data in the bill also be empowered to oversee non-personal data.
Two years to implement, three days to report
The bill itself provides no timeline for the implementation of its provisions, so the committee recommended that once it becomes law data fiduciaries and data processors be given about two years to make the modifications to their policies, infrastructure, and processes necessary to bring them into compliance.
The committee was less generous in its suggestion for how long businesses should have to report data breaches. It recommended that data fiduciaries should have to report every breach of personal data to the DPA within 72 hours of becoming aware of the breach, and to keep a log of all data breaches, whether personal data or not.
Another deadline proposed by the committee would come into effect when data principals reached majority. Businesses that process the data of minors should, the committee proposed, have to contact them three months before their 18th birthday to seek renewed permission.
As it stands, the bill allows data principals to receive their personal data where it has been processed automatically, but not if doing so would reveal trade secrets or is not technically feasible. The committee said that the revealing of trade secrets should not be grounds for businesses to refuse to provide data principals with their personal data.
Location, location, location
The bill includes provisions for where data may be stored or processed. Sensitive personal data may be sent outside of India for processing if the individual has given their explicit agreement and certain additional conditions have been met, it says.
Where data is sent abroad, the committee recommended that a copy be kept in India, to facilitate the eventual reshoring of data-processing activities. It also called on the government to ensure that India developed a strong AI software and services ecosystem to support the domestic processing of Indians’ personal data.
It also advocated for a framework to oversee hardware companies that collect data, calling for a certification system for all digital and internet of things (IOT) devices.
The Committee observed that “data protection in the financial sector is a matter of genuine concern worldwide, particularly when through the SWIFT network, privacy has been compromised widely.” Indian citizens, it noted, are major users of the SWIFT international payment service and so, it said, it could give a boost to the domestic economy if India were to develop its own alternative to SWIFT.
But other bodies would remain exempt from retribution for privacy violations under the committee’s rules. Its report did not recommend removing a contentious clause that provides the government with authority to exempt any of its agencies from the data protection laws.
It’s worth noting that the committee’s recommendations aren’t legally binding. The bill will next be presented to the Cabinet, which will decide whether to adopt the committee’s recommendations. Only then will the bill be presented to Parliament for approval. It is expected to be introduced to parliament in the 2022 budget session.