In an attempt to build trust among internet users, the Union Cabinet gave a nod to the Personal Data Protection Bill on Wednesday. The Bill, which aims to bring regulations around usage and storage of personal data, is in line with what some of the countries have done globally, including the US.
But, the Bill also brings raises questions about what the government can do with the personal data. “It allows the governments to analyse personal data when required and if necessary,” sources told Tech2. “However, the government will have to show that it is purely for national interest and is authorised by law.”
The sources added that the data can be used if it is for public good and service. “However, the main intention is to empower citizens by giving them the right to complete data protection,” the sources said.
While more details are not available as the Bill has not been made public, sources said that companies who have personal data of their customers should take required steps in ways of encryption and storage of data so that it is not misused.
The Bill comes at a time when India is at one end witnessing a surge in data usage, with cheap smartphones and even cheaper data tariffs, which is the lowest in the world, and on the other hand is falling prey to data breaches, which was evident in the latest WhatsApp debacle. More than 121 Indian’s phones were hacked by the Pegasus spyware.
“The data protection bill is like a double-sided sword, on one hand it protects the personal data of Indians by empowering them with data principal rights and on the other hand it bestows the central government with exemptions which are against the principles of processing,” said Burgess Cooper, Partner, Cyber Security at EY India.
Cooper added that the state can process even sensitive personal data when required, without an explicit consent from the data principals. “However, the government will need to show that any processing of personal data is necessary and processing of sensitive personal data is strictly necessary for the exercise of any function of the State authorised by law for the provision of service or benefit. These are broadly-worded carve-outs can be misused and hence need to be carefully examined,” he added.
On security, Cooper said that data fiduciaries are obligated to take necessary measures and implement policies to ensure privacy should be embedded and built into all the systems, applications and architecture at each stage of processing-collection, processing, usage, transmission, storage and disposal.
The Data Protection Bill is very much like the General Data Protection Regulation (GDPR), which is a regulation in European Union law on data protection and privacy for all individual citizens.
Some believe that the Bill will play an important role in reducing data privacy breaches. “It should put an end to such malpractices around personal and private data. Enterprises and service providers already following the GDPR guidelines are today in good shape already,” said Rajpreet Kaur, Principal Analyst at Gartner, a US-based technology research and advisory firm.
The Bill would also not allow companies – Indian and international – to send data outside the country. “A complete restriction on transfer of sensitive personal data and a framework for restrictive transfer of other personal data outside India will boost data sovereignty and push the data processing and storage demands in the country,” said Sunil Gupta, Managing Partner and CEO of Yotta Infrastructure, a Mumbai-based data centre solutions provider.