Indian Personal Data Protection Bill, 2018

Protecting Customer Privacy
2 Sep 2019

India’s own Data Privacy Regulation?

Posted By

Data Privacy for individuals has become a primary concern for business, legal and human rights organizations. IT became especially important in India, where your personal data could have been bought and sold for pennies.
Companies have been known to continually flout rules and ignore the privacy of the people. Even today, India lacks any formal data protection regime that can protect people against gross violations of their privacy in today’s networked world.

India is finally moving towards having its own data protection law after the Srikrishna Committee submitted its initial assessment and recommendations in a report on data privacy and management in 2018. This was accompanied by a draft of the legislation on data protection titled Personal Data Protection Bill, 2018.

As expected, the recommendations continue to stir debate and questions have been raised. However, industry, tech firms and legal bodies agree that we need a law that safeguards customers and help accelerate India’s fast growing digital economy.  India needs a law which is need of the hour to truly ensure a person’s privacy in today’s digital age.

Need for Data Privacy LawIndia Data Privacy

Today almost everyone has a mobile device and is well connected to the global digital network, increasingly sharing personal information, photos, financial details, family and even health status in a remote public cloud. A primary point of concern for the individuals is protection of their personal data.
Till the new law becomes a reality, India’s data protection regime is primarily governed by the Information Technology Act, 2000, and the Information Technology (Reasonable Security Practices and Sensitive Personal Data or Information) Rules, 2011. However, these laws are left behind by the accelerating digital world; failing to protect the interest of the individuals. Thus, the Draft Data Protection law is a step in the right direction.
The “Personal Data Protection Bill, 2018” is on lines with the European Union’s General Data Protection Regulation (EU GDPR)1 which came into effect on May 25, 2018. EU GDPR outlined the following principles.
  1. The right to have personal data minimized.
  2. The right to have knowledge as to where the data is being stored.
  3. The right to have access to the data, to correct it.
  4. The right to be forgotten wherein the data subject has the right to ask the company to delete their personal data permanently.

The Bill, when implemented, will require the enterprises to review their current systems and policies and invest in upgraded IT design and infrastructure to comply with the requirements of the Bill.

Additionally, for greater accountability, companies processing large data volumes might have to register themselves as significant data fiduciaries to the Data Protection Authority–a key recommendation made by the Srikrishna Committee. It may increase compliance costs in terms of rewiring systems, periodic company audits and hiring data protection specialists among others. However, this law can be a godsend for the Indian technology industry, opening billion-dollar local business opportunities.