THE DATA PRIVACY LAW

THE DATA PRIVACY LAW:IMPACT ON BUSINESSES

By-Madhav Maheshwari

Data privacy has been a real issue since the past few years and its importance to the users on the ground has increased over time but it does not seem to be the same way with the lawmakers.

It took our country several years to draft a bill on data privacy. The personal data protection bill, 2019 was tabled in the parliament on 11 Dec, 2019, and is currently being analyzed by the joint parliamentary committee.

So far, what has been outstanding is that the bill has a tremendous amount of regulations and compliances to be followed with.

Techno firms operating in India would require to comply with various types of structural & operational changes to meet with the needs of the provisions of the proposed law.

For illustration:

Companies store and process huge amounts of user’s data and their digital information on to their servers. Due to the magnitude of user’s critical data being with companies, issues like data privacy have gained very much importance in recent times.

It has not been much of a time since the Cambridge Analytica scandal occurred, the scandal surely changed the world but it did not change the modus operandi of a giant like Facebook. It is certainly a fact that the scandal was related to Donald trump’s political campaign which was most likely facilitated by the multi-giant i.e. Facebook.

All of this poses a much bigger threat to data privacy. And hopefully this recent incident has brought to light the impact of the data we share and generate.

One of the recent legislation that lays the foundation for data security and governance is EU’S GDPR (General data protection regulation) was adopted in 2016.

“How companies are going to look at the regulations is surely a debatable issue.

Various regulators such as GDPR have already come up with aggressive strategies to deal with the breaches such as: In case of a data breach the companies could have 3% of their revenues at stake”

The personal data protection bill surely goes beyond the IT Act 2008, section 43, and is largely based on EU’S GDPR.

India is going to be a substantial marketplace for IT hubs and BPOs in the coming decade and with this the companies will need to comply with several regulations, while data can be put to several uses, the unregulated use of data has raised concerns regarding the sovereignty and privacy of an individual. This was widely recognized by the apex court in a landmark judgment that the right to privacy is a fundamental right.

The whole business environment is surely going to take a turn be it in privacy or storing user data.

There are certain compliances that companies would require to follow such as:

Privacy Measures

The bill contains measures regarding the transparency and answerability.

These include enhancing privacy policy and to state the motive behind storing user data and appointing a data protection officer (DPO) to advise and assess the restructuring in privacy policies.

There is also some provision that requires companies to obtain the consent of the user before processing their data and the user has the right to withdraw consent. The main factor which influences the whole working of companies is the cost factor, new compliances will not only increase the cost in dollar value but also will cost time. To implement these new compliance measures, firms would also need to recruit more legal advisors and technological experts for the proper implementation. However, the bill is still in process and the additional clarity that companies are looking for will soon appear by the time the bill is in action.

DATA LOCALISATION

There revolves an issue on “data localization” norms which is included in the draft law. It is a restriction on cross border transfer of user’s critical and sensitive data and this provision is largely focused on storing the data within the territorial limits of the country. Even when RBI blew a whistle on storing user’s data locally, many techno giants like Whatsapp, google, and Paytm were convinced. Currently there are no penalties for not-complying companies but its only a matter of time now. One of the major argument which comes to light that will the localization of data stop the third party manipulation like Cambridge Analytica where with the means of what people are liking on Facebook they could assume the political affiliation one can have. All of this surely supports the localization but it comes at a very hefty cost for the companies. If companies are forced to localize the data, they would have to move, re-assess and re-architecture their network infrastructure. The procurement of new equipment and servers will increase the amount of capital invested and maybe will increase some debts. These compliances surely provides leverage to the local competitors since the foreign entities would be following the data regulations and will use local technology.

WHAT’S BENEFICIAL?

The new law will increase compliance burden but in the long run it is going to affect the business environment positively. The new measure should rather be seen as a business investment opportunity and not as a burden.

Over the years India has become a major hub for IT companies and it is the real opportunity for a firm to stand out in providing complete privacy protected services to its users.

The new regulation will surely demand good technical experts and will increase the demand of skilled labor and employment opportunities lately.

Talking about the implementation, it is very unlikely that the law will be enforced immediately. The government will provide sufficient buffer time before enforcing the law completely since companies most likely would require at least 20-24 months to make amends with regards to the compliances.