The draft of the 2019 Personal Data Protection Bill in India is currently being scrutinized by a 30-member Joint Committee of Parliament. Significantly, representatives from Facebook India recently appeared before the committee, marking a significant step in progress. However, Amazon declined to appear citing concerns around risky travel amidst the ongoing pandemic.
A Look at Tech Giants and Data Security
Several tech giants including Amazon, Twitter, Facebook, Google and Paytm were approached by the committee to share their insights on data security and protection. This comes amid rising concerns that the privacy of users is being compromised for commercial interest. Amazon’s refusal to appear could potentially lead to a breach of parliamentary privilege, with the panel asserting that coercive action may be taken if no representative appears at the next meeting.
Scrutinizing Facebook’s Data Model
Facebook was questioned regarding its methods of audience targeting, their data storage model, and the transfer of user data among other matters.
The 2019 Personal Data Protection Bill: An Overview
Often referred to as the “Privacy Bill”, the 2019 Personal Data Protection Bill seeks to protect individual rights by regulating data collection, movement, and processing of personal data or data that can identify an individual. The bill was inspired by a previous draft version prepared by retired Justice B N Srikrishna’s committee. It gives the government powers to authorize the transfer of certain types of personal data overseas and allows exceptions for government agencies to collect citizens’ personal data.
Understanding Privacy: Data Classification
The Bill classifies data into three categories: personal data, sensitive personal data, and critical personal data. The storage of these data types depends on their categorization. For example, sensitive personal data, which includes information such as financial details, health-related data, and more, needs to be stored only in India and can be processed abroad only under certain conditions.
Data Mirroring and Data Transfer Abroad
The bill removes the requirement for data mirroring but mandates consent from individuals for data transfer abroad. Earlier versions of the Bill allowed personal data to be transferred outside India, with a subcategory of Sensitive Personal Data (SPD) having to be processed in the country while keeping a copy within the country.
Non-personal Data and Data Fiduciaries
The new draft of the Bill now covers non-personal data and mandates data fiduciaries to provide the government with any non-personal data when demanded. Non-personal data refers to anonymized data like traffic patterns or demographic information. As defined in the bill, a data fiduciary could be a service provider who collects, stores, and uses data while providing goods and services.
Account Verification and User Anonymity
Companies and social media intermediaries categorized as “significant data fiduciaries” are required by the Bill to enable users in India to voluntarily verify their accounts. The verification should be visible to all users of the service, a measure likely intended to decrease user anonymity and prevent online trolling.
Benefits and Drawbacks of the Bill
While proponents of the Bill believe that data localization can increase the government’s ability to tax internet giants and help law-enforcement agencies access data for investigations, critics argue that the Bill’s terms are open-ended and subjective, which may lead to intrusion into citizens’ private lives. Tech companies such as Facebook and Google have been critical of the proposed legislation, fearing that it may set a precedent for protectionist data policies in other countries. There are also concerns about its potential negative impact on India’s startups and larger firms that process foreign data.
