While India Inc. gears up for its own data protection laws, there remains a plethora of crossroads and ambiguities around the readiness quotient and being in sync with the global GDPR benchmarks. Lex Witness gets into a conversation with Shweta Bharti, Senior Partner, Hammurabi & Solomon Partners to explore more.
In view of the recent Facebook and Cambridge Analytica controversy where data of 87 million users, including 5 lakh Indian users, was shared unethically through a third-party application, shows how vulnerable we are in this day and age. The Draft Bill is aimed at shielding us from such harms by protecting our personal information, outlining the role of data processors, providing guidelines for data storage, and imposing stringent and deterrent penalties for infringing on privacy. It’s a data protection framework that we definitely needed.
The law once imposed will have farreaching implications on data handling and processing practices by government departments and companies, both Indian and foreign.
The EU recently formulated new European Union law called the General Data Protection Regulation (GDPR) and in California the California Consumer Privacy Act of 2018 was enacted drawing attention to the much-needed user privacy and data protection policies by companies and businesses around the world.
Even in India the Bill will require companies, to disclose to users the data they are collecting and storing on them, whether the users can get that deleted, whether that information has been sold to third party companies, and other similar requirements. The Bill also highlights the need for different obligations for Personal Data and Sensitive Personal Data based on criticality of data. This will mean the companies will have to reorient their business processes. In fact, as sensitive customer data is a part of their core operations the technology sector has to be extra careful. The risk of network breaches is on the rise in the digital domain, it is therefore imperative that telecom companies and the ISPs restructure the way user information is collected, stored and analysed. Users cannot be railroaded into giving their consent to be able to use a certain product, service or feature.
Companies would need to adhere to a strict regulatory compliance to protect the users’ personal data.
ISPs will have to ensure that they store and use consumer information only with the explicit consent of the users and also provide more effective mechanisms for individuals to track and withdraw consent. The full impact of the proposed law cannot be identified at this stage.
The draft Bill has been put together keeping in mind the Supreme Court judgment in Puttaswamy v. Union of India.1 The right to privacy was recognised as a fundamental right pursuant to Article 21 of the Constitution. It advocates privacy as a fundamental right and necessitates having a data protection framework for keeping data of citizens secure and protected. The Bill has also introduced the concepts like Privacy by Design and a data breach notification. The principles of Privacy by Design focus on making privacy assurance an organization’s default mode of operation.
Section 39 of the draft Bill also provides a dispute resolution mechanism. If an individual’s personal data is compromised, they will have the option to raise a grievance with the data protection officer of the entity handling the data. If the matter is not resolved satisfactorily one will even have the option to escalate it to an appellate tribunal.
The next phase could be more about getting consultations on the matter and focusing on planning of the phased implementation. Businesses were given two years to comply with the GDPR in EU, once the framework came into force in 2016. In India, considering the expanse of the proposed law and the fact that it will have an impact on 50 existing laws in the country, the Framework has much to iron out. There are also several other factors that are left to be determined through Codes of Practices or to be determined by the Government subsequently.
H&S has been working deeply with the BoardS and managements in the areas of risk manangement & compliance for data protection & privacy. The Companies Act, 2013 provisions and the upcoming corporate governance framework recommended by the Kotak Committee earlier this year, make it incumbent of Boards to have a pro-active approach to have well structured data protection frameworks in place to manage risks and ensure transparency and trust among all stakeholders in the data protection space. H&S has been doing path-breaking work with Boards in order to effectively achieve risk controls & compliance with the emerging data protection and privacy regime in India.
The clients are being advised to be careful about their business processes, reporting structures and even the global third-party service providers. It would be wise to strengthen their in-house data processing mechanisms and focus on eliminating any risk of data breach. Encryption and anonymity of user data will be extremely important.
Companies will have to indulge in extensive planning, revisit their stakeholder & customer outreach strategies, conduct regular impact assessments, and adopt new procedures to deal with the new laws.
In addition of risk control through structured frameworks & compliance, we feel that transparency and Self regulations in areas where policy gaps remain, will be drivers for Businesses in the data Protection domain.
www.grandmasters.in | 8 Years & Counting
www.rcls.in | 8 Years & Counting
www.itlegalsummit.com | 8 Years & Counting
www.bfls.in | 8 Years & Counting
www.maels.in | 8 Years & Counting
www.plcs.co.in | 8 Years & Counting
Copyright © 2020 Lex Witness - India's 1st Magazine on Legal & Corporate Affairs Rights of Admission Reserved
