Data is any collection of information that is stored in a way so computers can easily read them (think 011010101010 format). Data usually refers to information about your messages, social media posts, online transactions, and browser searches.
Data is stored in a physical space similar to a file cabinet of documents, and transported across country borders in underwater cables that run as deep as Mount Everest and as long as four times the Indian Ocean. To be considered useful, data has to be processed, which means analysed by computers.
Data is collected and handled by entities called data fiduciaries. While the fiduciary controls how and why data is processed, the processing itself may be by a third party, the data processor. This distinction is important to delineate responsibility as data moves from entity to entity. For example, in the US, Facebook (the data controller) fell into controversy for the actions of the data processor Cambridge Analytica.
The physical attributes of data — where data is stored, where it is sent, where it is turned into something useful — are called data flows.
Key Highlights of the Data Protection Bill 2018
- The Bill regulates the processing of personal data of individuals (data principals) by government and private entities (data fiduciaries) incorporated in India and abroad. Processing is allowed if the individual gives consent, or in a medical emergency, or by the State for providing benefits.
- The data principal has several rights with respect to their data, such as seeking correction or seeking access to their data which is stored with the fiduciary.
- The fiduciary has certain obligations towards the individual while processing their data, such as notifying them of the nature and purposes of data processing.
- The Bill allows exemptions for certain kinds of data processing, such as processing in the interest of national security, for legal proceedings, or for journalistic purposes.
- The Bill requires that a serving copy of personal data be stored within the territory of India. Certain critical personal data must be stored solely within the country.
- A national-level Data Protection Authority (DPA) is set up under the Bill to supervise and regulate data fiduciaries. (See full draft here)
After the public release of a draft Bill by a committee headed by Justice B N SriKrishna in July 2018, India was caught in the middle of a global debate on data localisation at the G20, the Organisation for Economic Co-operation and Development (OECD) and other fora.
In the Bill approved by the Cabinet, there are three significant changes from the version drafted by a committee headed by the Justice B N Srikrishna Committee.
- The draft had said all fiduciaries must store a copy of all personal data in India — a provision that was criticised by foreign technology companies that store most of Indians’ data abroad and even some domestic startups that were worried about a foreign backlash. The approved Bill removes this stipulation, only requiring individual consent for data transfer abroad. Similar to the draft, however, the Bill still requires sensitive personal data to be stored only in India. It can be processed abroad only under certain conditions including the approval of a Data Protection Agency (DPA). The final category of critical personal data must be stored and processed in India.
- The Bill mandates fiduciaries to give the government any non-personal data when demanded. Non-personal data refers to anonymised data, such as traffic patterns or demographic data. The previous draft did not apply to this type of data, which many companies use to fund their business model.
- The Bill also requires social media companies, which are deemed significant data fiduciaries based on factors such as volume and sensitivity of data as well as their turnover, to develop their own user verification mechanism. While the process can be voluntary for users and can be completely designed by the company, it will decrease the anonymity of users and “prevent trolling”.
“The bill will encourage entities to start processing data in India and with high level of data consumption, the country is expected to become one of the world’s biggest centres of data refinery. The bill allows processing of data for lawful purpose only,” — Government Officials
The individual whose data is being stored and processed is called the data principal in the PDP Bill. This large collection of information about you and your online habits has become an important source of profits, but also a potential avenue for invasion of privacy because it can reveal extremely personal aspects. Companies, governments, and political parties find it valuable because they can use it to find the most convincing ways to advertise to you online. It is now clear that much of the future’s economy and law enforcement will be predicated on the regulation of data, introducing issues of national sovereignty.
As far as violations are concerned, a company will have to cough up as much as ₹5 crore or 2% of its worldwide turnover, whichever is higher, in case there is a data breach or inaction by the fiduciary or a minor violation. In case of major violations such as data processed or shared without consent, there will be a penalty of ₹15 crore or 4% of global turnover, the official said. Besides, there is also a jail term for any violation.
The Bill calls for the creation of an independent regulator DPA, which will oversee assessments and audits and definition making. Each company will have a Data Protection Officer (DPO) who will liaison with the DPA for auditing, grievance redressal, recording maintenance and more. The committee’s draft had required the DPO to be based in India.
Note: Cleared by the Cabinet, Government sources said they were open to the “widest debate on this Bill”, which is expected to be tabled in Parliament during the ongoing Winter Session.