Data protection is a new age concept that arose as the technology grew and
synced with people on various numbers of data that they had generated like the
passwords, their lifestyle activities, shopping preferences etc. The Countries
under the European Union recognize the gravity of personal data and how it
should be preserved.
There have been laws governing for the same as well. In its
latest iteration, the EUGDPR (European Union General Data Protection Rights) was
passed in 2018 and it was made applicable to the other MNCs those were not from
the EU as well. This is much regarded to protect the individuals from being
pried by the Corporates that tend to offer goods and services. The Indian
counterpart of this could be the proposed bill of Data Protection Bill, 2018.
This is yet to be passed and is now currently being reviewed.
The primary question of letting an individual take control of what data of
theirs must be shared anywhere becomes the very challenge as well. With the
increase of service-oriented establishments, one individual participates in and
shares their data with, the challenge becomes a tougher job to identify, trace
and control the data that is being shared. On this note, the EUGDPR was somehow
able to foresee the line of control by implementing strict control and policies
over the Companies that were belonging to the third-party nations as well.
the impositions of heavy penalties on the offending corporates, the corporates
are now forced to review their policies and mend any clauses to accordingly
comply with the EUGDPR as to not violate it.
The EUGDPR has been extensively referred to and discussed by the Expert
Committee in its white paper. While concepts from the EUGDPR such as privacy by
design, right to be forgotten, extra-territorial applicability
been reflected in the Bill, the Bill has been drafted in a manner such that
these concepts are moulded to fit Indian data protection requirements. Akin to
EUGDPR the Bill has subjected sensitive personal data to greater protection.
While the concept of data fiduciary
in the Bill is similar to EUGDPR’s
data controller concept, the use of the term fiduciary
intentional as the Bill intends to impose fiduciary responsibility on any
person handling personal data.
As under the EUGDPR, the Bill also has extra-territorial applicability and
would apply to the processing of personal data by data fiduciaries/processors
outside India if the data processing occurs in connection with:
- any business carried on in India;
- any systematic activity of offering of goods and services to data
principals within the territory of India; or
- the profiling of data principals within the territory of India.
Further, while the Bill recognizes the right to be forgotten
of a data principal, unlike the EUGDPR, it does not entitle the data principal to seek right to deletion of
personal data but only provides for a limited right to restrict or prevent
continuing disclosure of personal data subject to fulfilment of certain
criteria. Similar to EUGDPR, the Bill prescribes hefty penalties for violation
of its provisions based on the total worldwide turnover of the entity of the
previous financial year.
While the Bill has been drafted along the lines of EUGDPR, the two are not
identical. The Bill has taken cognizance of India’s unique data protection
requirements and has attempted to address the same.
Issues relating to the classification and categorization of data and the
attendant regulation of data practices and activities, which are at the core of
any data protection framework, are not clearly established in the Bill. For
example, the Bill creates a new category of personal data called critical
which would be subject to local data processing requirements and
prohibitions from any movement across the border.
However, neither the Bill nor
the Committee’s report provides any objective criteria for such classification
by the Central Government. Further, even though the Bill exempts anonymized
from its purview, it does not adapt legal requirements in circumstances
where other de-identification techniques are used to mitigate privacy risks,
including with respect to data breach notification obligations and risk
assessments, which would encourage use of these practices. Other data
categories, like non-personal data and community data
, are mentioned in
passing, but are neither adequately discussed nor explained in the report or the Bill.[i]
The Bill also does not adopt a pragmatic approach with respect to supervisory
and enforcement functions. The Bill establishes an independent regulator called
the Data Protection Authority (DPA), but its current formulation would make it ineffective.[ii] While the report recognizes the lack of regulatory capacity and
expertise in India to carry out the DPA’s proposed functions, the Bill continues
to burden the DPA with such functions, including wide discretionary powers that
could disrupt business operations in India.
There is also no clarity on whether
the Bill adopts a collaborative approach to rule-making, wherein industry
stakeholders will have an opportunity to participate in the formulation of
codes, standards and regulations. The lack of clarity in the Bill on these
underlying principles, which lie at the core of any data protection framework,
creates an environment of uncertainty for businesses, which could have a spill
over effect on commercial operations, R&D activities, and future investments in
India. Further, the unpredictability of rules – as several provisions will be
determined after the enactment of the Bill - impinge on the ability of organisations to define appropriate data protection programs, policies and
(Last Accessed on 14.05.2020).
(Last Accessed on 16.05.2020)