PDP Bill at par with international rules but needs more clarity: Survey

Most respondents say Bill must provide for independent Data Protection Authority like GDPR. Current form allows for excessive govt intervention and it is unlikely DPA will function independently

Over 51 per cent of respondents in a survey said they thought the upcoming Personal Data Protection Bill 2019  was at par with other global privacy laws such as the General Data Protection Regulation, California Consumer Privacy Act and the Personal Information Protection Law, according Tsaaro, a data protection as a services provider, which announced the key findings of its survey on people's expectations from the PDP Bill.

However, most of the participants recommended that the drafted Bill should provide for an independent Data Protection Authority similar to the GDPR. The drafted Bill in its current form allows for excessive government intervention and therefore it is unlikely that the DPA will function independently.

When participants were asked whether they agree with the proposed provision of inculcating data localisation in reference to the organizations which are operating outside India, 70 per cent of the participants agreed to the provision. As many as 93 per cent agreed that social media platforms will have to adhere to Indian privacy laws now. A majority of the participants felt that the definition of critical data needs to be worked upon and a total of 71 per cent of participants felt that the definition, as of now, was not up to the mark.

When asked if there should be a restriction on the number of data subject requests an individual is entitled to, 69 per cent of participants agreed that there should be some form of limit that allows access without infringing on an individual's rights. While 76 per cent of the respondents agreed that there should be a retrospective application of the provisions of the drafted PDP Bill.

Only 10 per cent of the participants responded that the upcoming Bill should be enacted as it is. When asked if consent should be the sole legal basis on which data may be processed, the majority of participants said no, adding that the law should allow for another legal basis on which data can be processed.

Regarding data subject rights, Tsaaro found that the majority of participants were worried that the drafted Bill does not guarantee the same rights to data subjects as privacy legislation such as the GDPR do.

Further, a majority of the participants were not satisfied that the existing data protection principles are sufficient in light of evolving technology. They felt that once the Bill is enacted there should be a given time wherein the organisation can ensure compliance and there must be a retrospective application of provisions and agreement on data localisation as a mandate for social media platform especially to operate in India.

It was suggested that the upcoming Bill should state that in case of data breaches by public bodies they should be held liable for such a breach. Government bodies collect and process large amounts of personal data and sensitive personal data. Therefore they should not be exempt from complying with the provisions in the drafted Bill. In case of data access requests by public bodies, the entity subject to such a request should be obliged to inform this publicly unless the request is for crime or fraud prevention.

The majority of the participants felt that there must exist clear definitions of terms in the upcoming statute, as vague definitions create grey areas and further obstruction in the natural course.  

“Data Privacy is a growing concern amidst increasing number in Data Breach Incidents. The much-awaited personal data protection bill which is scheduled to be tabled in the winter session of the parliament starting today has received a mixed response. We wanted to deep-dive into the several possibilities, recommendations as well as a general overview of data privacy experts and professionals.  The survey, conducted over the last 3 weeks, has been effective in bringing to light the key pain points of the industry and we hope to bring insights for people in general as well as the policy-makers to consider,” said Akarsh Singh, CEO & Co-founder, Tsaaro.