Roti, Kapda, Makaan aur Privacy – is an appropriate adaptation in times where people are connected 24/7 through the web.

The prolonging allure of globalization followed by its societal, economic, and technological innovations has altered economies in the most unfathomable ways. A radical by-product of the globalization era is the World Wide Web, which transcends borders and connects individuals worldwide within seconds. It has quickly become an essential part of daily lives but several countries are faltering to match up to the developments in the World Wide Web giving rise to data protection and privacy concerns. 

Privacy legislation in India 

Presently, the Information Technology Act 2000 and Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 govern India’s data protection regime. However, these legislations fail to protect individual interest in today's time. 

In realizing this, the Electronics and Information Technology Ministry of India tabled the “Personal Data Protection Bill, 2019" (the Bill), which along the lines of European Union's General Data Protection Regulation (EU GDPR), the present hallmark of data protection regime in the world, with one noteworthy contrast being the necessity of data localization and stringent restrictions on the cross-border data transfer.

The Bill largely governs the processing of personal data by the Government, Indian companies, and foreign companies dealing with personal data of individuals in India. The Bill recognizes three main types of information, namely: a) personal data, b) sensitive personal data, and c) critical personal data and further empowers the Data Principal – a natural person to whom the personal data relates – to obtain confirmation, correction, transferability, and restrictions on disclosure of their data by a fiduciary. 

At the heart of this Bill is – Consent, without which data fiduciaries would be barred from processing personal data of individuals. However, the Bill exempts certain circumstances which include: (i) when data is required by the State for providing benefits to the individual, (ii) legal proceedings, (iii) to respond to a medical emergency, for which consent is not required. Moreover, the Bill provides for the establishment of a Data Protection Authority to protect interests of individuals, prevent misuse of personal data, and ensure compliance with the Bill while penalizing violators. 

Potential Issues emanating from the Bill

Heavy fines amounting to Rs 15 crore or 4% of the annual turnover of the fiduciary are prescribed for violation of the proposed law. Certain offenses also attract imprisonment for up to three years in addition to hefty fines. Thus, the Bill may leave several small and medium enterprises starving for revenues in the event of failure to comply with the Bill in the light of said fines and probable lawsuits. 

The Bill obliquely compels enterprises to review their data protection and processing policies, along with IT infrastructure to ensure compliance with the requirements of the Bill, thereby leading to significant costs of doing business in India. Furthermore, stringent cross-border transfer and data localization restraints may pose a great challenge for foreign investors having operations in India. Although the Bill is likely to cause an array of problems for the law enforcement agencies, its benefits far outweigh the momentary discomfort. 

Conclusion

In the government’s race to match up to the changing dynamics of the world, companies operating in India must gear up for the implementation of the Bill, which is likely to be approved by the Parliament in the Monsoon session of 2020. These regulatory changes, though onerous to many, are almost a natural and necessary trajectory considering India’s growing digital footprint in the world and the enormous amounts of sensitive information they leave over the web, with or without consent!

The PDP Bill, although highly regulated, may face challenges during implementation as industry and the government tries to pave their way through voluminous data. In light of the aforesaid challenges, the government will be required to put in considerable time and resources to make this Bill turn into ground reality without any unintended consequences. Therefore, although this data protection regime is a bold, positive policy, shoddy implementation of the policy may further grapple the economy offsetting the crucial advantages of the Bill at its outset.