Data Protection Bill: Experts seek clarity on timelines and definitions

Say some of the open-ended language may need refining

The draft data protection Bill introduced last week is being described as simplified and business friendly by industry experts. They are, however, awaiting clarity on several aspects of the proposed law, including timelines and definitions, among other things.

The Bill, for instance, covers only digital information and is applicable to information that has been collected online or is digitised.

“We still need to understand the impact of this on handwritten or non-digitised records. Also, should this be seen in the light of further push for digitisation?” asked Manish Sehgal, partner, Deloitte India. 

The Bill would be open for public consultation until December 17, while the final version is expected to be tabled in the Budget Session next year.

“The Bill is a simpler version of the earlier draft and is nicely articulated. We will need to get some more clarity on a few aspects,” said Murali Rao, partner, cyber security consulting leader, EY.

Legal experts, for instance, pointed out that the law needs to define who qualifies as “significant data fiduciary.” 

The Bill only mentions that ‘data fiduciary’ means any person, who alone or in conjunction with other persons, determines the purpose and means of processing of personal data. 

The government also needs to provide clarity on details of the independent audit of a data fiduciary such as the frequency of audit. 

Arun Prabhu, partner & head – TMT, Cyril Amarchand Mangaldas, said, unlike the previous draft Bills, this version seems to be designed to be a shorter and simpler document. This may help with alignment and rapid adoption.

“While this simplification may have benefits, several concepts that the current Bill proposes, and some of the open-ended language, may need refining before the Bill is adopted.” Prabhu added. 

With an increasing base of Internet users in the country, many are disappointed that the Bill does not deal with cybersecurity issues in a larger way.

The time limit within which a data breach should be reported to the data protection board has also not been mentioned in the Bill. Globally, in countries such as Singapore, a data breach should be reported within 72 hours of the incident.  

Rao also pointed out that a major omission in the Bill is that there is no mandate for an entity to maintain a “record of processing activity,” or ROPA as is the global norm.  

“Any data fiduciary should be made to provide evidence through the management of a ‘ROPA’.

A mandated timeline for data breach reporting is another needed provision that needs to be included,” Rao added. 

On a positive note, experts have also welcomed a provision of the Bill that requires parental consent for sharing of children’s data. 

The Bill says that a data fiduciary will process any personal data of a child only after it obtains a verifiable parental consent, among other details.

However, the Bill says that a child means an individual, who has not completed the age of 18. Experts pointed out that like in other countries the Bill should have two age groups for children.  

Experts said the penalties on data principles in the proposed Bill could be a global first. “This is likely to promote authenticity in data principal requests and limit non-legitimate requests,” said Sehgal. 

One of the bigger concerns among the legal fraternity is the creation of a board rather than an authority, as proposed in the earlier version of the Bill.

Some feel that the success of implementation may depend on the regulatory body and its powers. 

“In the present case, the Bill talks of a board rather than an authority. The board will have less teeth, and hence, the regulator will be weak. It will be similar to the IT Act, which has provisions on penalties but how far it has become a deterrent is yet to be seen,” said Salman Waris, managing partner at TechLegis Advocates and Legislators. 

 The importance of this digital data Bill is also because of the rising Internet user base. India has over 760 million active Internet users and over the next coming years this is expected to touch 1.2 billion. India is the largest connected democracy in the world and is among the highest consumers and producers of data per capita globally. 

Listing uncertainties

• The Bill, for instance, covers only digital information and is applicable to information, which has been collected online or digitised
• Legal experts point out that the law needs to define who qualifies as a ‘significant data fiduciary’
• Centre needs to provide clarity on details of the independent audit of a data fiduciary such as the frequency of audit
• Time limit within which a data breach should be reported to the data protection board has also not been mentioned in the Bill
• One of the bigger concerns among the legal fraternity is the creation of a board rather than an authority
• Experts have also welcomed the provision of the Bill that requires parental consent for sharing of children’s data