Data protection law in India is a step closer to being enacted after Union IT Minister Ravi Shankar Prasad introduced the Personal Data Protection Bill, 2019, in Parliament. Due to the compound increase in the number of online transactions and the amount of data generated, we require a concrete bill to enhance our data protection. The bill must focus on providing a framework for protecting individuals’ privacy by informing the customers about how their data is processed.
How Did It Happen?
In July 2017, the Government of India formed a committee of experts headed by retired Supreme Court Justice BN SriKrishna to study the issues related to data protection law in India. After working on it for a year, the committee submitted a draft of the Personal Data Protection (PDP) Bill in July 2018 and requested feedback from the public, Ministers, stakeholders, and other industry experts. Based on the input, a revised draft of the bill was submitted in the Lok Sabha and the lower house of parliament in December 2019. Now it has been referred to a 30-member Joint Parliamentary Committee for review, which is expected to submit its report on or before April 3, 2020.
What Rights does this Bill Offer?
- The Personal Data Protection Bill (PDP Bill) is India’s first attempt towards the protection of personal data. The bill regulates the processing of citizens’ data by government and companies incorporated in India.
- The proposed bill also allows the processing of data by companies only with the consent of the individual. However, the bill also permits personal data processing without consent in exceptional cases like medical emergencies and for legal proceedings.
- The bill also permits customers to move their data from one provider to another and allows users to know the number of companies with whom the data is shared.
- Additional responsibilities are also imposed on companies based on the volume of data they collect from customers. This includes periodic security audits, the appointment of a data protection officer, and performing data protection assessments defined by the regulator.
- Severe penalties have been proposed for failing to comply with the data protection with the fines extending up to INR 15 crores (around US$ 2.1M) or 4 percent of its global turnover.
- In terms of data localization, the bill allows the transfer of personal data across borders without any limitations. However, restrictions are placed on sensitive personal data, which needs to be stored in India. Sensitive personal data can also be processed outside the country if the regulator approves it.
Data Protection Bill v/s Industries
This bill is expected to create disruptions across industries, and it is set to have a significant impact on fintech, as it necessitates fintech companies to prepare for additional compliance obligations. Fintech platforms handle large volumes of sensitive customer data—names, cell phones, addresses, bank account numbers, credit history, and PAN. The bill classifies all forms of personal financial data as ‘sensitive personal data.’ This action may bring more complications to this sector as chances of ranking these fintech companies as ‘Significant Data Fiduciaries’ is very high.
Another challenge is the provision of ‘right to be forgotten,’ where organizations are not allowed to access customer data after the purpose of which it was shared is met unless they have explicit consent from the customer. The deletion of data can create new regulatory bottlenecks for fintech companies as they won’t be able to assume ownership of consumer data as their own. This action also will erode their competitive edge over other companies where data was their moat. In contrast, opportunities will open for new players like consent brokers who facilitate data sharing, storage, and management of end-user data across multiple platforms on behalf of users.
It might take long for fintech companies to adapt to the new data protection guidelines. However, companies should start making investments in data systems to comply with the bill as soon as possible to avoid hefty penalties.