Since the launch of the Digital India Program, the country has witnessed tremendous growth in digital infrastructure and initiatives in innovating e-governance policies that can lead to digital empowerment of citizens. Affordable access to the internet and an encouraging regulatory system has made India the country with the second-largest internet users in the world and has powered its digital economy.
The rapid technological advances have led to large volumes of data being generated by various activities, thus, increasing the dependence of business on data-decision making. However, this fuels the question of personal data protection, a key issue facing the policymakers. India is proposing a ‘fourth way’ to regulate personal data distinct from the approaches of China, European Union, the United States through India’s draft Personal Data Protection (PDP) Bill that is due to be passed by end of the year.
The Data Governance framework constitutes of three major players – Data Fiduciaries (DF) those who control the means of processing personal data, Data Processors (DP) who process data on behalf of DFs and Data Principal those whose personal data is processed. DFs and DPs share a fiduciary relationship and it is their duty to protect the rights of Data Principal. The PDP Bill contains a number of other checks and balances that ensures the interests of the Data Principal such as the processing of data in a fair and reasonable manner.
The Bill also provides the appointment of a Data Protection Authority (DPA) that consists of a chairperson and six members, with knowledge of at least 10 years in the field of data protection and information technology. The DPA is empowered to draft specific regulations for all data fiduciaries across different sectors, supervise and monitor data fiduciaries, assess compliance with the Bill and initiate enforcement actions, and receive, handle and redress complaints from data principals.
A brief summary of the draft bill:
- A single law that governs both private and public entities,
- Sensitive personal data includes financial data, passwords such as bank account or credit card or debit card or other payment instrument details, physical, physiological and mental health conditions, sexual orientation, medical records and history and biometric information,
- Mandatory storage of a copy; critical personal data is stored only in the country,
- Cross border data is permitted if it is approved by the regulator or the government,
- Data breached must be reported to the regulator and regulator will decide if the individual will be notified based on the severity,
- Imprisonment up to five years for certain kind of offences.
Most technology giants thrive on data generated by their users and as the Indian business tycoon Mukesh Ambani said ‘Data is the new oil’; we will need to watch and see how the bill creates the legal regime of how data is used, shared and stored in India.