Every day citizens of India purchase goods and services online. In recent years we have rapidly moved towards a digital society. As the access to the internet keeps on increasing across the country at a steady pace, soon the whole population of over 1.3 billion people will be carrying out their financial errands online, shop online and book services through their phones. Despite this widespread use, India still doesn’t have a comprehensive law outlined around the processes, procedures and consequences related to data protection. As we transition to an even greater digital society and economy, reforms are needed to safeguard natural persons, set boundaries for company practices and allow for sustainable business practices. Importantly, infrastructure and tools are necessary to follow up on the laws, to ensure that corporate bodies adhere to the rules set out and allow for a way to punish those who fail to govern personal data.

Existing Guidelines on Data Protection

Personal information is any information relating to a natural person, which directly or indirectly, in a combination of other information available or likely to be available in the future, helps the corporate body to identify the person.

Currently, there are specific guidelines for data protection. These can be found in the Technology Act from 2000, which have been updated through the years. Most importantly, there is the Information Technology Act from 2011, about reasonable security practices, procedures and sensitive personal data or information. Under section 43A of the IT Act, it’s stated that a corporate body that stores or deals with sensitive personal data or information are liable to pay damage by way of compensation to any such person being affected as a result of negligence in maintaining reasonable security procedures. Under section 72A, the IT Act states that a fine and/or imprisonment may be issued if a corporate body discloses personal information in a way that it breaches the contract they have with the person, or if the corporate body discloses any personal information without the consent of the person the data was obtained from.

The IT Act mandates that a corporate body need to obtain prior consent from the provider of sensitive personal information or data and use this information. The IT Act further provides a list of what type of data that can be labelled as confidential, including password, financial information, health records, sexual orientation and religion, among other types of information.

Privacy Policies

The IT Act states that all corporate bodies need to formulate a privacy policy where it’s disclosed what type of personal information is collected, and how the company deals with this data. Such privacy policy must be made publicly available and contain all the details around the collection, use, disclosure of data and what type of security practices are used.

Transfer of Data

Transfer of data is common, whether it’s transferred within the same corporate body or the sharing of data between different corporate organisations operating in India or aboard. In any case, when data is transferred, the same level of data protection must be kept as stipulated in the IT Act.

Data Localisation

Data localisation is related to the storage of data, in India it is generally required that data is stored within the borders of the country where data was generated. For example, all personal data related to payment systems should be locally stored in India. Many large sectors already have pre-existing laws and procedures to data and localisation of data; these include the financial sector, healthcare and the telecom industry.

Proposed Data Protection Bill

Experts fear that the proposed Personal Data Protection Bill (PDP Bill) has severe gaps when it comes to accountability for data breaches. The bill aims to fill all the current gaps in the legislative framework, which currently functions as guidelines rather than fully expressed laws. One of the shortcomings highlighted is that the PDP bill fails to specify precisely timelines in which data breaches should be reported. When it comes to localisation of data, the proposed PDP bill contradicts the current guidelines of payment data, where data needs to be physically stored in India. Under the new law, data collected as part of payment processes do not have to be stored in India. The original PDP Bill was proposed back in 2018, but there is still no affirmative action taken. This is a historic opportunity for India that should not be squandered away by rushing the process to implement it. The PDP bill needs to be re-evaluated, and critical gaps filled to ensure that it can both protect privacy and ensure innovation and productivity growth.