RRU Director says India’s Data Protection bill modelled on Europe’s GDPR
Table of Contents
The necessity of Data protection
Data protection is necessary for several reasons, including:
Protection of privacy: Personal data can include sensitive information such as financial and health records, biometric data, and other personal identifiers. Protecting this information is essential for safeguarding an individual’s privacy and preventing unauthorized access, use, or disclosure.
Prevention of identity theft and fraud: Personal data can be used by criminals to commit identity theft and fraud, leading to financial losses and other harmful consequences. Robust data protection measures can help prevent such incidents from occurring.
Compliance with legal and regulatory requirements: Many countries have laws and regulations that require organizations to protect personal data. Failure to comply with these laws can result in penalties, fines, and legal action.
Protection against cyber attacks: Personal data is a valuable asset for cyber criminals, who may attempt to steal it for financial gain or to harm individuals or organizations. Data protection measures can help prevent such attacks and mitigate their impact if they occur.
Overall, it is essential for ensuring the privacy, security, and safety of personal data, which is critical in today’s digital age.
The Proposed Data Protection Bill 2019
The Data Protection Bill in India is officially called the Personal Data Protection Bill, 2019. It is a proposed legislation that seeks to regulate the collection, storage, processing, and sharing of personal data by both government and private entities in India. The bill was introduced in the Indian Parliament in December 2019 and is currently under review by a parliamentary committee.
The key provisions of the bill include:
Definition of personal data: The bill defines personal data as any data that can directly or indirectly identify an individual. This includes sensitive personal data such as financial, health, and biometric data.
Data protection obligations: The bill lays down obligations for data fiduciaries (entities that collect and process personal data). These include obtaining explicit consent for data collection and processing, implementing data security measures, and ensuring transparency in the data processing.
Rights of data principals: The bill also provides data principals (individuals whose data is being collected and processed) with certain rights, such as the right to access their data, the right to correction of inaccurate data, and the right to data portability.
Data localization: The bill mandates that a copy of all personal data collected and processed in India must be stored within the country. However, certain categories of data may be exempted from this requirement.
Penalties for non-compliance: The bill proposes hefty penalties for non-compliance with its provisions. Data fiduciaries that violate the provisions may be fined up to 4% of their global turnover, or Rs. 15 crores, whichever is higher.
Once enacted, the Personal Data Protection Bill, of 2019 will replace the current Information Technology (IT) Act, of 2000, which does not provide comprehensive data protection regulations. The bill has been subject to much debate and discussion, with some stakeholders raising concerns over its potential impact on the Indian tech industry and the privacy of Indian citizens.
The bill aims to provide greater control to individuals over their data, including the right to be forgotten and the right to data portability. It also proposes hefty fines for data fiduciaries who violate the provisions of the bill, which is up to 4% of their global turnover or Rs. 15 crores, whichever is higher. In addition to the proposed bill, the Reserve Bank of India (RBI) has also issued guidelines for data protection and security in the financial sector. The RBI guidelines require banks and financial institutions to implement robust data security measures, including encryption, access controls, and regular security audits.
The Proposed Data Protection Bill is framed on a European Model
According to Nidhish Bhatnagar, Director of the School of Information Technology, Artificial Intelligence and Cyber Security at Rashtriya Raksha University (RRU), Gandhinagar, the soon-to-be-introduced Digital Personal Data Protection Bill, 2022, will have provisions similar to the General Data Protection Regulation of the European Union but with a focus on the Indian society.
The responsibility for maintaining the security of personal information, such as phone numbers and Aadhar numbers, will be on the agency, organization, or other body that obtained the information. As he opened a four-day cyber security incident response training for 25 tier-1 officers of the National Informatics Centre (NIC) on Monday, Bhatnagar said that this would also include the right to be forgotten, similar to the General Data Protection Regulation of the European Union, but would be more focused on Indian society and the way our governance models work.