Securing Digital Personal Data
Vishrut A.
Alumni- IMT Hyderabad | Management Trainee -O2C at G4S India | Tally Essentials Level 1 "A" grade | Tally Essentials Level 2 "A+" grade | Tally Essentials Level 3 certified
Surely you use the Internet. Of course, since you are reading this article. With India contributing 759 million people accessing the Internet today and possibly 900 million by 2025, there is an exponentially growing deluge of data that necessitates essential safeguards to come into place. The European Union, for example, has a comprehensive framework for all internet businesses called the EU General Data Protection Regulation (EU GDPR). The purpose of the law is to prevent the misuse of personal data, and it has a clear, all-encompassing definition of what can be considered digital personal data. It regulates businesses of any size providing goods and services online, to customers within the Eurozone, from the smallest local enterprises to the tech giants like Google and Microsoft.
The Government of India has been taking the initiative to bring about similar legislation to prevent personal data misuse in India and will be tabling in the upcoming monsoon session of Parliament the Digital Personal Data Protection Bill 2022. The bill is the fourth attempt by the Union Government to institute the framework to prevent data misuse in five years.?
Since 2018:
The bill first came under scrutiny as the Personal Data Protection Bill 2018. It was amended to be passed in Parliament officially in 2019 but was referred to a Parliamentary commission which submitted its report on 16 December 2021. The Law was taken back in the Monsoon session of 2022 as additional revisions made faced resistance. The upcoming bill passed by Cabinet on 5 July 2023 will be put to floor in the upcoming Parliament session.
Since the first draft, the following definitions have been made:
Data Principle: Individual authors of personal data that are submitting their particulars online to a service provider.
Data Protection Board: Now included in the upcoming draft. They will be the assigned regulator that will be notified by consent managers and identify breaches and non-compliance. The DPB will be hearing data fiduciaries on violations that may occur by them and direct appropriate remedial measures.?
Data Protection Authority: A committee consisting of experts and Government representatives who will enforce the law under notification of the to-be constituted Data Protection Board and will be implementing necessary measures against breaches as the Union Government prescribes. They had broader oversight and functions, including all the functions of the Data Protection Board, which is to identify data security breaches in the 2018, 2019, and 2021 drafts. The same drafts made them responsible for flagging personal data exports.
Data fiduciary: Data fiduciary refers to all businesses providing services online. Social media companies were referred to as significant data fiduciaries in the 2018 and 2019 drafts, and cross-border personal data movements had to be arbitrated by the Data Protection Authority. These service providers needed to make an in-house data processor in India, while in the upcoming bill, they do not have to localise data.
Consent Managers: Entities that data principles can nominate for enforcing their rights, like notifying the data protection board of breaches in antitrust and requesting businesses collecting personal data online to delete or modify their data.
Consent for sharing of personal data of minors: Consent for data is to be given by their legal guardians, which has stayed constant throughout the past four versions.
In the 2021 iteration of the law, many types of personal laws were defined, and it was recommended to provide separate legislation on obtaining consent for their sharing. The 2022 law does away with it and makes sharing the different types of personal data entirely on the authors.?
Deemed consent: A new type of consent, known as deemed consent is to be introduced. Instances where a due diligence is process on an individual for #mergersandacquisitions, or when responding to medical emergency, or availing critical government services like passport and driving license applications. Essentially, it is a consent data principals have to submit to a data fiduciary, if the law compels.?
Some of the arguments which have stalled the law till now are:
领英推荐
In the time of generative artificial intelligence, which has the capability to fabricate text, speech, and even imagery, it can enable instances of forgery and spread misinformation to a vast audience. Entities, both legitimate businesses and online predators alike, are equally capable of collecting, storing, and misusing data for various sinister or unwanted purposes. As such, it is a matter of high concern for any nation, not just India, to have a regulation for use of personal data, of all types, shared digitally.
In the United States, digital privacy is regulated under different state and federal laws. Such a framework would be difficult and face challenges in implementation if adopted in India. A Pan-India policy would be a step in the right direction. However, India is to have more internet users than any country worldwide and putting forth cases of breach could be too many for a single committee to address timely. A timely addressal of breach is just as important as the framework itself.?
References:
Image credits: ETech
Marketing and Digital Marketing
1 年https://www.dhirubhai.net/pulse/navigating-data-protection-challenges-how-big-firms-adapting