The Personal Data Protection Bill, 2019 has several implications for citizens and businesses. There are implications for the government too. The cost of compliance is one of them.
The government has to establish the Data Protection Authority of India to protect the interests of citizens, monitor companies processing data, as well as prevent any misuse of personal data. However, this is likely to be a long-drawn and expensive process.
The reason is that every company that processes data, has to prepare a 'Privacy by Design' policy which must be submitted to the Authority for certification within a specified period. The policy is expected to substantiate the managerial, organisational, business practices and technical systems that a company has designed to anticipate, identify and avoid harm to the person whose data is being processed.
"Every data fiduciary getting their Privacy by Design policy certified is a pain - the Data Protection Authority will get inundated with these policies. You may need cells all over India. There may be state level enforcement mechanisms. The authority would need mammoth staff. So compliance comes with a cost," Sajai Singh, Partner at J Sagar Associates, Advocates & Solicitors, says.
If the Authority doesn't function properly, there could be inordinate delays and businesses would suffer, he adds.
The Bill lays out a number of responsibilities the Authority mush discharge. Besides certifying Privacy by Design policies, the Authority's responsibilities also include monitoring cross-border transfer of personal data, monitoring technological developments and commercial practices that may affect protection of personal data, receiving and inquiring complaints. The Authority would also maintain a database containing names of significant data fiduciaries (companies that process data) along with a rating in the form of a data trust score indicating compliance .
Setting up these processes will take time and Singh wishes the government indicated a timeline.
Meanwhile, privacy experts and think tanks have pointed to several red flags in the 2019 Bill.
"The government has excessive powers to access data for purposes as defined by them. In the absence of a surveillance law, it provides the government with unfettered access to any personal data," Kazim Rizvi, Founding Director of The Dialogue, a think tank, says. "Moreover, insights derived from personal data is defined as personal data, which means that the state can access all forms of insights from companies. This means that intellectual property of data fiduciaries may be sought by the government, which will send a negative message to the global investor community. Why would an investor invest in Indian tech startups knowing that the government can any day ask for insights that can kill their business models?" Rizvi asks.
"Sec. 35 of the PDP Bill, 2019 effectively enhances existing surveillance powers of the government and gives the State over arching power to access personal data. This provision enables government surveillance projects like the NATGRID, CMS, and the nationwide facial recognition programme," noted legal services organisation SFLC.in in a statement. "Even the Srikrishna Committee Report recognised that unfettered access to the State of personal data, without adherence to established safeguards is potentially unconstitutional. We believe that granting access of personal data to the State, without appropriate safeguards and judicial oversight is against established constitutional principles and should not form part of the PDP Bill, 2019," the body adds.