With data now being the “new oil” and the government planning to bring a new data protection law to ensure security and privacy of its citizens in the digital economy, experts have warned that there are key gaps on fixing accountability for data breaches.
In July last year, Justice BN Srikrishna Committee submitted the draft Data Protection Bill following which the Ministry of Electronics and IT (MeitY) prepared the original Personal Data Protection Bill, 2018. It is still not clear when the bill will be finally introduced in the Parliament.
“I don”t know what is the final form of the privacy (PDP) bill, as no further draft or final version has been published, nor does it appear that it will be placed in Parliament in this session. But there”s an imbalance of accountability in the original version,” leading tech policy and media consultant Prasanto K. Roy told .
“There are several key gaps on accountability for data breaches. Unlike other global privacy regulations, the PDP Bill does not specify the exact timelines within which data breaches should be reported,” he added.
According to Pavan Duggal, one of the nation”s leading cyber law experts, the personal data protection bill is a “historic opportunity” that has come up India”s way, but it should not squander away that opportunity by hurrying things up.
“The proposed bill is largely based on the EU General Data Protection Regulation (GDPR) which came into effect in May last year. But is has not been customised for the Indian context. So if you are going to introduce alien concept in the Indian ecosystem, the chances of them working will be very very less,” he said.
Duggal explained that the ambit of the proposed bill is very narrow as it deals only with personal data.
“It does not deal with non personal data – data which is not speciafic to a person such as machine generated data or auto-generated data,” he said, adding that the quantum of proposed punishment for those who are found flouting the rules are not commensurate to the loss that data breaches may cause.
“If a data security breach causes humongous amount of loss to the nation, in such a situation just a jail term of a couple of years — that too also a bailable offense — will not make sense,” he said.
Moreover, in terms of data localisation, the provisions of the bill go against the stand taken by the Reserve Bank of India, he said.
“The RBI has taken the stand that all banking and payment data related to people of India should be physically stored in India. The proposed data protection bill says you do not need to keep the data in India – only keep a serving copy. That I think will not serve India better. And it all probability, it will hurt India”s sovereign interest,” Duggal told .
However, according to Roy, data localisation would not adequately address security issues.
“Business wise, it causes extra costs – and not just for foreign firms but for India-based ones as well who are beginning to face the same demands in countries which are looking to India”s localisation laws (Indonesia, Vietnam),” he said.
“Security can be affected in a number of ways by fragmenting networks and platforms. For instance fintech and card companies rely on complex anti-fraud platforms, which further rely on data from across the world,” Roy said.
“If we cut off India from those platforms then not only do they not draw on and learn from India”s data, India also doesn”t benefit from the real-time Artificial Intelligence (AI) and Machine Learning and anti-fraud technology and threat intelligence sharing provided by those platforms,” he added.
Duggal, however feels that the bill is soft on intermediaries.
“The restrictions on use of personal data should be equally applicable to the government and its agencies and there must be adequate checks and balances,” he said.
“The personal data so collected should not be used against the individual or to the detriment of the individual,” Duggal added.