“Digital Freedom stops where that of the users begins. Nowadays digital evolution must no longer be offered to a customer in trade-off between privacy and security. Privacy is not for sale, it’s a valuable asset to protect.”- Stephane Nappo, Vice President, Groupe SEB
The Internet is now a major part of everyone’s life across the world. It is very difficult to imagine a single day without the internet. As internet use expands, it is helping organizations reach out to more potential customers and expand their market. As organizations reach more customers, they will also be keen to collect customer data relating to their purchases, likes, etc; so their algorithms can recommend similar products to the customers. This means that companies possess a lot of information about their customers, and the data of the customers mustn’t be misused in any way.
The draft data protection bill released by the government of India aims to address some of these queries related to fair use of data.
“Currently, seven out of the ten highest valued global brands are data companies. Data as the new oil? Clearly. When you invest in data, its storage, its management and its analysis, you’re investing in innovation.” - Thomas Harrer, IBM Distinguished Engineer - CTO Server & Storage EMEA
First, let’s look at the principles on which the bill is based:
1. The first principle is that usage of personal data by organizations must be done in a manner that is lawful, fair to the individuals concerned, and transparent to the individuals.
2. The second principle of purpose limitation is that the personal data is used for the purposes for which it was collected.
3. The third principle of data minimization is that only those items of personal data required for attaining a special purpose must be collected.
4. The fourth principle of the accuracy of personal data is that reasonable efforts are made to ensure that the individual’s data is accurate and kept up-to-date.
5. The fifth principle of storage limitation is that personal data is not stored perpetually by default. The storage should be limited to such a duration as is necessary for the stated purpose for which the data was collected.
6. The sixth principle is that reasonable safeguards are taken to ensure that there is no unauthorized collection or processing of personal data.
7. The seventh principle is that the person who decides the purpose and means of processing personal data should be accountable for such processing.
“In the next three years, the value of data will increase, making it even more valuable than it is today. The more efficiently you store your data, the more benefits your business will see.” - Thomas Harrer
Keywords in the data protection bill 2022
1. Data Principal: The individual whose data is being collected. For children, parents and guardians will be considered Data principals.
2. Data Fiduciary: The entity (individual, company, firm, state) which decides the purpose and means of the processing of an individual’s personal data.
3. Significant Data Fiduciary: The entities dealing with a high volume of personal data. Such entities will be required to appoint a ‘Data Protection Officer’ and an independent Data auditor.
Significant aspects of the bill
1. Cross border transfer: The bill allows the transfer of data to other countries notified by the government and only if those countries have a proper data security landscape and the government can access data of Indians from there.
2. Data Protection Board: The bill proposes to set up a data protection board and in case of any grievance of the consumer with the data fiduciary the consumer can file a complaint with the data protection board.
Rights of individuals
1. Access to information: The bill mandates that individuals should be able to access basic information in languages specified in the eighth schedule of the Constitution of India.
2. Right to consent: Consent of the individual is essential before the data can be processed by the Data Fiduciary. What item of personal data does the fiduciary want to collect, the purpose of such collection, and further processing, the individual has a right to know all. Individuals can also withdraw consent from the fiduciary.
3. Right to erase: Data principals will have the right to demand the erasure and correction of data collected by the Data Fiduciary.
For Data Fiduciaries, if data breaches happen in businesses or failure to notify users when breaches occur can result in fines ranging from Rs. 50 crores to Rs. 500 crores.
National Security related exemptions are in place whereby the government can exempt its agencies from complying with the act when matters of national sovereignty are at stake.
Overall, this bill is a start towards the long journey of securing data protection as India starts to take the issue seriously and has taken a range of steps to not only secure data protection but also give the data principal, who is the individual here rights over their data, which is a step in the right direction. Source: MEITY and find image source here.
Gorisco has wide range of experts who have various solutions to help organizations mitigate their risks and solve their problems.
At Gorisco, our motto is 'Embedding Resilience' and we are committed to make the organizations and their workforce resilient. Reach out to us if you have any queries, clarifications or need any support on your initiatives.
To read our other blogs, click here. More importantly, let us know if you liked them or not through your comments.