Photo by Fernando Arcos from Pexels

In 2017, the Indian Supreme Court held that the right to privacy was a fundamental right, and afterwards, the Indian Parliament drafted a data protection bill which has been recently reviewed by Joint Parliamentary Committee.

The committee has recommended the following:

Expansion of the scope: not only personal data but non-personal data must be included in the bill.

Provision for explicit consent and providing people with the chance to opt-out of providing their data if they want to. But the 2021 bill provides for non-consensual processing of data whenever it “can be reasonably expected”,  which leaves room for arbitrariness.

Social media intermediary has been changed to Social media platforms to hold social media companies accountable. But more than nomenclature, what matters is defining the circumstance under which social media companies will be liable.

A 72 hour period for reporting a breach, and if a company exceeds 72 hrs for reporting a breach, the company must justify the delay.

Rs 15 crore fine or 4% of the annual turnover, whichever is higher,  penalty on the defaulting party

A time-aligned approach for enforcing the bill: the Data Protection Authority should be active within six months, registration of “data fiduciaries” within nine months, and all provisions of the Bill to be implemented within 24 months.

PDP: new law

The Personal data privacy bill aims to put India on the same footing as other developed countries like the US, EU and UK.

However, some differences that emerge are:

The DPA, unlike its developed countries’ counterparts, is not independent. The government appoints DPA members.

FIrms handling the large volume of data will need to get their data handling method audited every year by auditors that have to be on the government-approved list.

Citizens have the right to access their data and the right to have them deleted, but unlike GDPR, they don’t have a right to be not profiled.

Some Indian Specific requirements

The DPA approved audits will be needed by which organisations is uncertain. Probably, big organisations processing copious amount of data will need to comply with it.

The companies must ensure that if they are collecting data from their customers, the collection and processing must adhere to the Personal data privacy act.