Implications of India’s Data Protection Framework on Businesses
Implications of India’s Data Protection Framework on Businesses
Introduction
The Internet has given birth to various sectors and professions and opened an entirely new market, which is more innovative, technical, and efficient. The 21st century has witnessed such an explosive rise in the number of ways in which we exchange information, that it is widely referred to as “The Information Age”.[1]
The age of Information has taken on India to new heights of excellence in education, medicine, communication, public services, and almost all walks of governance. In this Information Age, almost every single activity undertaken by an Individual or a Business involves some sort of data transaction. Any transaction between two or more parties involves an exchange of information between parties. Any such information/data collected by the parties should be used only for the specific purposes for which they were collected. The need arose, to create rights for those who have their data stored and create responsibilities for those who collect, store and process such data. The law relating to the creation of such rights and responsibilities may be referred to as 'Data Protection Law’.[2]
Importance of Data Protection Law for Business
Data Protection is also referred to as Data Privacy or information privacy, it is the process of protecting and securing important data from being compromised or corrupted. The importance of data protection increases as the amount of data created and stored continues to grow at unprecedented rates. There is also little tolerance for downtime which can make it impossible to access important information. With the little amount of data created and stored daily, data protection is becoming more and more imperative. The goal of data protection is to find a balance between individual privacy rights while still permitting data to be used for business purposes.[3] The coronavirus pandemic caused millions of employees to work from home, resulting in the need for remote data protection. Businesses must adapt to ensure they are protecting data wherever employees are, from a central data center in the office to laptops at home.[4]
Why Data Protection is Important?
1)???Protects Valuable Data-
Data protection secures or safeguards valuable information, which is a critical asset to the company. Valuable Data may contain the personal information of clients or information related to any deal or any internal issues of the company.
2)???Protection against hackers-
Hackers are the main threat as they can access sensitive information. By using Data protection, the sensitive data, criminals can be deterred from doing identity theft, phishing scams, or other types of fraudulent activities.
3)???Prevents your website from going down-
For businesses that have their website, a potential cyber breach could cause a major problem. If the data is accessed by unauthorized people, it’s possible that the website of that business could be forced to close or it may experience downtime. This will affect the business revenue as there will be a loss of transactions.
4)???Better Business Management-
As data protection requires better management and storage of information, this can prompt companies to have better business practices.[5]
5)???To Build Customer Loyalty-
Today’s main concern is data theft which can contain personal and business information. So, to attract customers businesses should use data protection, by which the customer will trust the business and be in relation for the long term.
6)???To improve the brand value of the Business-
Most organizations suffered damage to their reputation and brand value as a result of the privacy breach. Organizations that focus on protecting the privacy of their consumers and whose primary goal is to care about their consumer’s privacy and support meeting that goal with transparent and consistently followed privacy practices that demonstrate this care, will build emotional connections to their brand, which will improve their brand value.[6]
Data Protection challenges that business faces
In today’s globalized economy, data privacy is a top concern for all types of businesses. But due to the common practice of breach of data, companies are now more inclined toward protecting their private data. However, this is challenging for most businesses as protecting data is not that convenient, affordable, and Easy. Businesses working in various countries and states face many challenges as the laws and regulations governing data privacy change and this can conflict with one another.
1.????Lack of Awareness-
In this era of a borderless economy, thousands of companies operate in multiple countries and must comply with each jurisdiction’s data privacy laws and regulations. This can be challenging mainly for start-ups and SMEs that have customers in several states or countries, as the regulation related to data privacy vary from country to country. To avoid such kind of challenges, businesses should educate themselves about the laws of the countries in which they are operating. The company should ensure that its employees are trained and well versed according to the laws of that particular country or state in which the company is operating.
2.????Inconsistent Policies-
In this Era of globalization, the policies and laws change as per the development of society. This inconsistency can create gaps in data protection, leaving customer information vulnerable to data breaches. To protect customers’ privacy, businesses must develop a robust privacy management program. They also must ensure that these policies are consistently implemented across the organization.
3.????Complex Regulations-
Data privacy laws and regulations are complex and subject to change. Businesses must comply with data privacy regulations in every vital market they have customers. So, if they have customers in 55 countries, they must comply with the privacy laws in effect in those 55 countries. By staying informed of global regulations and working proactively to comply with them, businesses can overcome the challenges associated with data privacy and create a safe and secure environment for their customers worldwide.
4.????Lack of Resources-
Many tech start-ups and SMEs lack the resources to effectively protect customers’ data, leaving them vulnerable to data breaches. As a result, they are forced to take shortcuts that leave them susceptible to data breaches. Because privacy compliance is a complex and ever-changing landscape, it is difficult for them to keep up and comply with the latest regulations.
5.????Customer Confusion-
领英推荐
Businesses collect their customer data to work on it and give a better experience and service to their customers. Sometimes customers might not be aware of Data privacy policies implemented by businesses or they might not understand the complex policies and how their data is protected. This confusion can lead to mistrust, which can damage the relationship between the business and the customer.
It is the duty of the company to explain to their customers the data privacy policy they are using for the safety of their customers so that the trust can maintain and the customers can completely rely on that business.[7]
Data Protection Regime in India
Presently India does not have any direct regime on data protection or privacy. However, the relevant law in India dealing with data protection is the Information Technology Amendment Act, 2008.
Under this section, a body corporate that is possessing, dealing or handling any sensitive personal data or information, and is negligent in implementing and maintaining reasonable security practices resulting in wrongful loss or wrongful gain to any person, then such body corporate may be held liable to pay damages to the person so affected. It is important to note that there is no upper limit specified for the compensation that can be claimed by the affected party in such circumstances.
This section defines ‘reasonable security practices and procedures to mean security practices and procedures designed to protect such information from unauthorized access, damage, use, modification, disclosure, or impairment, as may be specified in any law.
This section deals with punishment for disclosure of information. Under this section, disclosure of information, knowingly and intentionally, without the consent of the person concerned and in breach of the lawful contract has been also made punishable with imprisonment for a term extending to three years and a fine extending Rs.5 lakh.[8]
But the main concern is whether this new amendment to the IT act is adequate or not. The provisions purportedly for data protection are just out as an ugly patchwork on the IT Act and do not offer any comprehensive protection to personal data in India.
Only two provisions for data protection privacy are not efficient as India is a major IT power on the global map today. The issue of data protection and privacy in the Information Technology Act, of 2000 is dealt with in a piecemeal fashion. There is no data quality, proportionality, data transparency, etc, which properly addresses and covers data protection issues. Even though there is an amendment in the IT act then also India is still lacking behind in framing a real legal framework of Data Protection and Privacy.[9]
On December 11, 2019, the Data Protection Bill was introduced in Lok Sabha. The Personal Data Protection Bill, 2018 was prepared by a high-level expert group headed by former Supreme Court judge BN Sri Krishna. The Data Privacy/ Protection Bill is landmark legislation meant to regulate how various companies and organizations use individual data inside India. The Bill categorizes data into three categories–critical, sensitive, and general. Sensitive data–financial, health, sexual orientation, biometrics, transgender status, religious or political beliefs, and affiliation–can be stored only in India. The Bill regulates “data fiduciaries” and “data processors”. The Bill establishes the Data Protection Authority of India to oversee and regulate the processing of data. The Authority has wide powers under the Bill, and will, over time, issue regulations to address various operational aspects of the law.[10]
But the Data Protection Bill proposed in 2019 had been opposed by social media firms, experts, and even ministers, who said that this Bill has too many loopholes. So, the Government of India withdrew and will revamp the Data Protection Bill as such regulations are needed to safeguard the data and privacy of citizens and such regulations should be strong.[11] A comprehensive approach to the laws will be undertaken by the government and the bill will come back to Parliament very quickly after following the process of consultation.
Conclusion
India has built itself an enviable global reputation in the IT sector but then also India is not having a strong Data Protection Act. India is not a party to any convention on the protection of personal data which is equivalent to the GDPR or the Data Protection Directive. However, India is a party to other international declarations and conventions such as the Universal Declaration of Human Rights and the International Covenant on Civil and Political Rights, which recognize the right to privacy.[12]
EU has its strong Data Protection Law and the even USA has come up with a better version of the Data Protection Law. India is still far behind them all. India has withdrawn its Data Protection Bill for upgradation and to make it strong as per the changing circumstances. The upcoming data protection law in India will affect data use across sectors. The proposed data regulator will have the power to designate any data fiduciary (our equivalent to what the GDPR calls “data controllers”, entities that decide the purpose and means of collecting data) as a significant data fiduciary (SDF), based on certain criteria. This includes volume and sensitivity of data processed, use of new technologies, processing of children’s data, and social media companies.[13] This will lead to the creation of new hardware and software standards which will be held in the overall development of India.
[1] Available at https://digitalindia.gov.in/writereaddata/files/6.Data%20Protection%20in%20India.pdf
[2] Adv. Swati Sinha, “Data Protection Law In India-Needs And Position”, available at https://www.legalserviceindia.com/article/l368-Data-Protection-Law-In-India.html
?[4] Paul Crocetti, Stacey Peterson, Kim Hefner, “What is data protection and why is it important”, available at https://www.techtarget.com/searchdatabackup/definition/data-protection, February 2021
[6] Available at https://www.cpomagazine.com/blogs/privacy-intelligence/12-reasons-why-data-privacy-protection-brings-business-value/
[7] Josephine Yam, “Top Five Challenges Businesses Face with Data Privacy”, available at https://resources.skills4good.com/top-five-challenges-businesses-face-with-data-privacy
[8] Rajnish Kumar “Data Protection and Liability”, available at https://nair.indianrailways.gov.in/uploads/files/1397106115233Data%20Protection%20and%20Liability%20by%20Rajnish%20Kumar.pdf, April 2014
[9] Mohammed Nyamathulla Khan “Does India have a Data Protection Law?”, available at https://www.legalserviceindia.com/article/l406-Does-India-have-a-Data-Protection-law.html
[10] Mathew Chacko, Aadya Misra, and Shambhavi Mishra, “A Guide To The Data Protection Bill, 2021”, available at https://www.mondaq.com/india/privacy-protection/1213494/a-guide-to-the-data-protection-bill-2021, 20 July2022
[11] https://www.livemint.com/news/india/explainer-data-protection-bill-significance-criticism-all-you-neeed-to-know-11659530273031.html
[12] Talwar Thakore & Associates, “Data Protected – India”, available at https://www.linklaters.com/en/insights/data-protected/data-protected---india, September 2022
[13] Kanupriya Grover, “What Does India’s Proposed Data Protection Law Mean for Start-ups?” available at https://inc42.com/resources/what-does-indias-proposed-data-protection-law-mean-for-startups/, 12 February 2022