Yesterday, India circulated a new version of its much-awaited Data Protection bill amongst the members of parliament. The bill, which will be discussed in the parliament soon, puts a framework around data collection with consent from people in India and proposes unrestricted access to non-personal data by the government.
Last year, a committee formed under justice BN Krisha submitted a draft bill to the government, which sparked heated discussions. One of the primary topics was an intermittent liability that held platforms such as WhatsApp, Facebook, and Google liable for content distributed on their platform.
The new version, to be tabled in parliament today by minister RS Prasad, also has relaxed norms on data localization. It doesn’t force companies to store data locally and allows free flow of data across borders.
After fake news circulated on WhatsApp, lead to the loss of more than 30 lives last year, the center demanded the platform should have the ability to trace messages. However, the chat app has stood firm and said it’ll have to break encryption to trace messages and the company’s not ready to risk user privacy to achieve that.
Here are the key points of the new version of the data bill:
- India will form a Data Protection Authority (DPA) to oversee the implementation and regulation of the bill
- India can exempt any government agency from the purview of the bill “in the interest of sovereignty and integrity of India, the security of the state, friendly relations with foreign states, public order.”
- A company can get a fine of Rs. 15 crores ($2.1 million) or four percent of its global revenue for processing children’s data unlawfully.
- For failing to report a data breach or violations found in data audits, the fine is Rs. 2 crores ($283,000) or two percent of global revenue.
- The center can form and change any policy around non-personal data such as anonymized search results or shopping data. It can ask any company or entity to submit non-personal or anonymized data.
- Social media entities “whose actions have, or are likely to have a significant impact on electoral democracy, the security of the State, public order or the sovereignty and integrity of India” will be considered significant data fiduciaries. They’ll have to inform authorities if they’re undertaking large scale profiling of sensitive data such as sexual orientation or biometrics.
- These entities will also have to provide a means for users in India to voluntarily verify themselves and show a mark of verification next to their profiles.
Currently, there are quite a few questions and concerns regarding the bill. The primary concern is that the government can exempt any agency. That may give the said agency unlimited and uninterrupted access to data of citizens whether it needs it or not.
Under the proposed data protection bill, government can grant exemptions to certain companies to collect any personal data. Bad idea.
— Srinivas Kodali (@digitaldutta) December 10, 2019
As Mozilla’s early analysis outlines, rather than forming a diverse committee of executive, judicial, and external expertise to appoint members of the Data Protection Authority (DPA), government executives will have the power to appoint them.
The proposed media verification method is quite unclear and cumbersome at the moment. In August, Madras high court had ruled against linking social media accounts with government IDs.
Mozilla’s policy advisors said the move “will be disastrous for the privacy and anonymity of internet users, the law contains a provision requiring companies to provide the option for users to voluntarily verify their identities.” A report from the Economic Times suggests social media entities will have to report users that are not verified, even if the verification is ‘voluntary.’
As MediaNama’s Editor, Nikhil Pahwa noted, it’s also confusing as to why non-personal data is part of a personal data protection bill. Companies might be also worried about the center’s unrestricted access to non-personal data.
While the bill introduces positive points such as relaxed data localization norms, the right to be forgotten, and strict data processing obligations, it still leaves a lot to be desired with the exemption of government agencies, cumbersome social media verification, and unlimited government access to non-personal data.
We’ll keep a close watch on the parliament discussion to inform you about developments regarding India’s Data Protection Bill. You can also follow all updates through Medianama’s live blog.