India is one step closer to having its own data protection law after the Srikrishna Committee submitted its initial assessment and recommendations on data privacy and management last week in a 176-page report, as well a draft of the legislation on data protection titled Personal Data Protection Bill, 2018. Even as the recommendations continue to stir debate, technology companies, startups and industry bodies are united in their stance for a law that should safeguard customers and help accelerate India's fast growing digital economy.
Headed by retired Supreme Court judge BN Srikrishna, the committee made several recommendations, which include jurisdiction of processing personal data, setting up an independent regulatory body for enforcing the data protection law and heavy penalties for violating this law, among other clauses. Moreover, this draft bill is expected to apply to data collected by private and government entities in India.
While it remains to be seen if the data protection bill finds its way to the upcoming monsoon session of the Indian Parliament for further discussion, the report’s recommendations suggest far-reaching ramifications for India's rapidly growing technology industry. In a billion-strong nation, there are nearly 500 million active internet users and India’s online market is second to China. Internet penetration has grown in the last five years, thanks to the growth of startups, e-commerce companies and technology offerings across industries.
Industry Bodies Vouch For Data Protection
Even as technology majors anticipate the next move, India’s primary IT industry bodies such as NASSCOM and Data Security Council of India (DSCI) have been advocating for stringent data privacy and protection for years now, especially since India is making rapid inroads into the global digital market.
Rama Vedashree, CEO of DSCI and member of the ten-membered Srikrishna Committee, says, “The digital economy should aim to benefit citizens. With proliferation of information and digital technologies, the technology sector should strengthen citizen safety and security in the digital environment. Moreover, user awareness towards their privacy has been on the rise. We will see consumers making more privacy-conscious decisions and associating certain brands that provide greater privacy controls as better options.” In order to help companies stay ahead of the curve, DSCI has already developed the Privacy Frameworks and Credentials program and is now developing a Privacy Assurance Framework.
Indian Tech and Finance Industries Preparing For Compliance
Ever since the Indian Supreme Court ruled in favor of the right to privacy being deemed a fundamental right, India’s tech industry is more inclined than ever to respect and monitor data usage and storage. Microsoft India recently launched free online courses that will allow students, businesses, and legal professionals to understand data compliance, basics of GDPR and other best practices in security. Indian banks and insurance companies are among the early movers in building blockchain infrastructure, which can safeguard customer data.
And digital financial lenders are not too far behind either, especially since the majority of their customers are online. BankBazaar, an online lending marketplace, is prepared to implement necessary data protection standards whenever the law is implemented. Parag Mathur, General Counsel and Head of Compliance, says, “The average BankBazaar customer is mobile-centric with the inclination towards a digital format. Currently, we are seeing 90 million visitors in a quarter from more than 1,300 cities across India. Stakeholders must come together to enact a law which places the customer in charge of his data, and companies should provide value-added services in exchange for that data.”
For greater accountability, companies processing large amounts of data might have to register themselves as significant data fiduciaries to the Data Protection Authority–a key recommendation made by the Srikrishna Committee. Even though there is little clarity on how this will be implemented, it will increase compliance costs that include periodic company audits and the need for data protection specialists among others.
Vedashree adds, “The role of a data protection officer will gain great importance across the technology industry. We see a rapid increase in demand of skilled privacy professionals and specialists that are equipped to handle compliance requirements coming from various privacy regulations around the world.”
Until now, the accepted legal framework for the Indian technology sector is the Information Technology Act, 2000. While it provides for norms for data collection and its usage, it doesn’t elaborate guidelines for data storage techniques, user consent as well as norms for data processing.
Hopefully, a new data security law in India can change that.
Indian Government Could Decide Fate Of Privacy Law
After thorough analysis, legal experts believe the draft bill has its share of positives but is also ambiguous in certain parts. They have also concluded that the bill borrows significantly from the recently implemented General Data Protection Regulation (GDPR) in Europe.
After many delays, the Srikrishna Committee finally submitted the draft regulation to the Ministry of Electronics and Information Technology (MeitY) last week. Analysis by leading law firm Nishith Desai & Associates explains that once the MeitY finalizes the draft, it should place such a law in the public domain and provide stakeholders an opportunity to provide further inputs, before the law is placed before parliament.
With major government-driven initiatives such as Make in India and Digital India, the ramifications of a data security law can be far-reaching for the Indian technology sector. Now its up to the Indian government to provide India its first data security law, which can revolutionize the Indian technology industry.
