India closes the vault on data
India’s Personal Data Protection Bill, 2019 defines who owns the data, who can use it and under what circumstances. Though US tech companies are unlikely to welcome some of its provisions on data localisation, it will prevent data colonisation in line with the broad global consensus on the issue.
- The Personal Data Protection (PDP) Bill currently under deliberation is set to legislate rules and requirements on data sovereignty.
- According to the bill, sensitive data relations financial status, health, sexual orientation, biometrics, religious or political beliefs and affiliations will have to be stored in India.
- The PDP Bill also mandates social media companies to verify the identity of every user who registers for their services from India.
The Narendra Modi government in India recently approved the Personal Data Protection (PDP) Bill that will govern the storage, use, processing, analysis and monetising of all data generated by Indians within the territory of India. It seeks to legislate rules and requirements on data sovereignty, which means a country’s right to control data within its territory, and data localisation, which requires data to be stored within India’s borders. This bill is expected to be passed and signed into law by the President of India very soon.
Why Indian data becoming so important
Anyone who logs on to the Internet generates data – on his shopping habits, medical condition, travel patterns, banking transactions, browsing history, etc.
This data can be accessed individually or in aggregate to create data banks that can become goldmines for profit and plunder by (mainly Western) tech giants that have access to this data. This can lead to what many are dubbing “data colonisation”, which will leave the individuals or their countries with no control over either the data or the profits that are generated from it.
With half a billion Net users – and counting – India has grown rich in data before becoming rich. There is a need to ensure that this data is mined for Indian and not foreign interest.
The PDP Bill is similar to the European Union’s General Data Protection Regulation (GDPR), though it is not modelled on it. It has the following important definitions:
Data principal: The individual generating the data. Under PDP, the data principal is the owner of the data.
Data fiduciary: Tech companies and websites such as Facebook, Google, Amazon, banks, travel booking websites, etc., collect humungous amounts of data on people who use their services. They have been defined as data fiduciaries. They decide what data will be analysed, why, and how the results will be used. A data fiduciary is also called a data controller.
Data processor: A third party appointed by the data fiduciary to process the data. For example, Cambridge Analytica, which processed and misused data from Facebook, was a data processor.
Data flows: Where the data is stored, where it is sent and where it is processed and analysed and where the results are sent are called data flows.
Data Protection Agency (DPA): The PDP Bill has a provision for a DPA, which will be the final authority on making definitions, making assessments and conducting audits required to implement the law.
Data Protection Officer (DPO): Every data fiduciary will have to appoint a DPO who will liaison with the DPA for auditing, grievance redressal and all other activities related to maintaining and storing data.
Categories of data
The Indian law classifies data into three categories – critical, sensitive and general.
The government or the DPA will define what is critical data. This will have to be stored and processed in India.
Sensitive data has been defined as all data relating to financial status, health, sexual orientation, biometrics, transgender status, religious or political beliefs and affiliations. Like critical data, these have to be stored in India. However, sensitive data can be processed outside India with the explicit consent of the data principal and the DPA.
General data is all data that is non-critical and non-sensitive. This can be stored and processed anywhere without any restrictions.
Just as banks, telecom companies and some other intermediaries have to follow “Know Your Customer (KYC)” norms, the PDP Bill mandates social media companies to create a mechanism to verify the identity of every user who registers for their services from India.
This provision, however, can make net usage cumbersome for users. Privacy advocates are also unhappy at this provision.
The law allows the government to direct any data fiduciary to provide it with any non-personal data, for example, data on traffic flows, in order to provide better services to citizens or for research or for any other purpose.
The government or any official agency cannot seek any personal data except for a specific and lawful purpose. This means law enforcement or investigative agencies can access personal data only in national interest. “Technological evidence is the best evidence. Investigation of crime is public purpose; hence, under the garb of data protection, one cannot cage the rights of an investigating agency,” an unnamed official was quoted as telling the Indian media.
Violations and fines
The PDP Bill has provisions for stiff fines and penalties in cases of violations. A data fiduciary will be levied a penalty of Rs 5 crore ($700,000) or 2 per cent of its global turnover, whichever is higher, in case of a data breach or inaction by the fiduciary or a minor violation.
This can go up to as much as Rs 15 crore ($2.1 million) or 4 per cent of global turnover in case of a major violation such as processing or sharing of personal data without consent.
Most US concerns unaddressed
US companies and even the US government have objected strongly to Indian data localisation efforts.
Recently, US Treasury Secretary Steven Mnuchin requested India to treat US-based companies fairly and urged the country to ensure that its efforts at data localisation does not impact other countries.
Many US tech and financial services companies such as MasterCard, Amazon, Facebook and Google, among others, have objected to India’s proposed data laws, saying the requirement of storing data locally would increase costs, sometimes prohibitively, hurt both local and foreign companies and “negatively impact the flow of foreign investments”.
A good beginning
Most analysts have welcomed the PDP Bill. One major reason why the criticism has been muted is that the PDP Bill is very similar to the EU’s GDPR.
“We don’t want to build walls,” Aruna Sundararajan, Secretary, Department of Telecommunications, Government of India, told The New York Times, “but at the same time, we explicitly recognise that data is a strategic asset.” The new law, she added was part of a plan to chart the global “rise of Indian tech companies”.
As the world’s largest democracy and a major generator of data, the country remains a key global influencer of technology industry norms, a growing global player in this sector and a large market for international tech majors. So, despite the murmurs of protest at the end of their data monopoly, Western tech majors are unlikely to pack their bags and leave India anytime soon especially as the bill leaves considerable scope for the norms to develop over the next two years.
A more detailed analysis will have to wait till all the rules are notified.