The introduction of The Personal Data Protection Bill, 2019 (“Bill”) by the Ministry of Electronics and Information Technology was a step forward to provide protection to the personal data of individuals and to establish a Data Protection Authority for the same.
The Bill widely governs the processing of personal data by:
- Companies Incorporated in India
- Foreign companies dealing with personal data of individuals in India
The dire need to protect the sensitive personal data of individuals gave birth to The Personal Data Protection Bill. The sensitive personal data includes financial data, biometric data, caste, religious or political beliefs or any other category of data specified by the government.
The statistics reveal that the e-commerce market is expected to grow to US $200 billion by the year 2026. This growth in the e-commerce sector can very much be credited to the increased internet and smartphone penetration. It is therefore not wrong to say it is a high time now to focus on privacy. The Bill aims to prevent the processing of personal data without any specific and lawful purpose.
Here are the few issues which will cause a great impact on the Indian businesses after this Bill comes into force:
1. Data Handling: Post the Bill, the businesses will have an obligation to inform the users on what data is being collected, the purpose of such collection, how the data are being processed therefore adding an extra burden to upgrade the practices of data handling. Prior consent of users is mandatory before collection of any data.
2. Data Localization: Data Localisation implies that entities collecting or processing data should store such data or a copy of the same on local servers within the territorial jurisdiction of the country as well as permit the transfer of such data outside the country. This will lead to creating an infrastructure for storage of data and add extra cost for the company.
3. Appointment of Data Protection Officer: After the Bill comes into the picture, the business entities will need to appoint a Data Protection Officer whereby any breach of data shall be reported to the Data Protection Officer within 72 hours of such breach.
4. Data Audits: The Bill also contains provision dealing with appointment of an auditor who will conduct ‘Data Audits’ to ensure the entities are in compliance with the Data Protection Bill.
5. Data Quality: Entities are required to take reasonable steps to ensure that personal data processed is complete, accurate, not misleading and updated having regard to the purposes for which it is processed.
6. Penalties: The Bill imposes strict penalties and provides compensation to users in case there is any contravention by businesses of the provisions of the Bill.
There is no iota of doubt that the Bill has set its foot in the right direction but the implementation of the same will be a challenge. The industry awaits with bated breath for the release of the final bill and gears up for the significant cost effort and cost that would entail. Aligning with the age old saying, ‘Better late than never’, the Bill will drastically change the overall structure of entities dealing with personal data of individuals.