The Personal Data Protection Bill 2018 draft resembles the EU’s General Data Protection Regulation (GDPR) and comes with ambiguities and has its own pain points, a PricewaterhouseCoopers (PwC) and the Associated Chambers of Commerce and Industry of India’s (Assocham) collaborative finding said.
In July this year, the Justice BN Srikrishna committee proposed India’s Personal Data Protection Bill, 2018 to the Centre, with an aim to create a comprehensive framework for data protection— suggesting companies to adopt certain practices to collect, process and store consumers’ data.
“The proposed Personal Data Protection Bill runs into 112 sections and is very similar to the EU’s GDPR and however, it comes with its own challenges and ambiguities,” the PwC-Assocham study said, adding that even as organisations in India were coming to terms with the GDPR, they found themselves confronted with another regulation.
The draft recommends that every data fiduciary (any entity processing personal data) shall ensure the storage, on a server or data center located in India, of at least one serving copy of personal data to which the Act applies which, however, typically means that companies would be required to build servers locally.
“The move to allow data fiduciaries save a local copy of all personal data that is stored outside the boundaries of India could have some negative consequences,” the report said
In order to protect national interests and containing the risk of surveillance from foreign states on critical data, the draft bill prevents data fiduciaries from sending ‘critical’ personal data outside the territory of India.
However, what constitutes personal data and ‘critical’ personal data is a decision that has been left up to the authority, the 21-page study added.
The intentions behind the move are good, but maintaining data locally would have an impact on businesses across multiple industries that are today cloud led, and it would increase the general cost of doing business across industries.
The BN Srikrishna committee’s proposal to bring criminal liability, making the offenses cognisable and nonbailable under the new norms, however, may also force private sector executives to face conviction, a clause contested by various stakeholders.
Following the Supreme Court’s recognition of the ‘right to privacy’ as a fundamental right under the Constitution of India in August 2017, the draft Bill guidelines, has attracted much attention in the country.
The study also pointed out that the system integrity may be threatened when purging the data.
“Data destruction may compromise system integrity in many legacy and CRM systems as these are not built to allow data destruction or anonymization,” the study said, adding that the companies might have to retune the systems to address such challenges.
The exclusion of anonymised data will considerably bring down the obligations on entities— both in the private and public sector— and it suggested that in order to prevent harm to specific groups of individuals, the limitation of processing and publishing analysis of anonymised data should be evolved.
Companies will have to limit collection and reuse of data in line with the consent obtained from the data subjects, which according to the finding, would be challenging for organisations to change the mind-set of collecting and keeping more data than necessary.
Data breaches, according to the PwC-Assocham, are a serious business issue, and added that the Bill proposes a layered approach for levying penalties for non-compliance on organisations.
In order to avoid significant business ramifications due to data breaches, organisations need to outline a well-defined testing mechanism to assess readiness to address any eventualities, the report added.