Data protection regulations ensure the security of individuals’ personal data and regulate the collection, usage, transfer, and disclosure of the said data.
By Shiv Aggarwal
India has recently banned 118 additional Chinese apps. As per reports, this ban comes under Section 69A of the Information Technology Act and is due to the illegal data collection practices followed by these apps. These apps were found to be collecting extensive information about their users without taking explicit permission. Collected information included but not limited to – data from users’ clipboard, their GPS locations, and vital network related information such as IP, local IP, MAC addresses, WIFI access point names, etc. Some of the apps were even found setting up local proxy servers on users’ devices to transcode media without permission.
Around the world, major corporations are being fined millions of dollars due to non-compliance with regional data protection laws. So far Europe’s GDPR has been considered one of the most stringent ones, and now India’s PDPB is set to take the benchmark to another level and make it one of the world’s most extensive data protection policies.
What is data protection, and why is it important?
With the increase in user-generated data and the exponential industrial value of data, it’s becoming vital that the government bodies take necessary steps to protect the data rights of their citizens. Data protection regulations ensure the security of individuals’ personal data and regulate the collection, usage, transfer, and disclosure of the said data. They also provide access to data of the individuals and places accountability measures for organizations processing personal data and supplements it by providing remedies for unauthorised and harmful processing.
What is GDPR?
The General Data Protection Regulation (GDPR) came into effect in May 2018 and has been an essential step in strengthening citizens’ fundamental rights in the current Digital Revolution, and monitoring businesses, and preventing these companies from misusing data for their capital gains which puts the user at risk.
GDPR has been highly active and has imposed fines in millions of euros on companies like Facebook and Google.
What is India’s PDPB?
India’s Personal Data Protection Bill (PDPB), which is currently under the draft, is said to be one of the most comprehensive data protection laws, and in some ways stricter than European Union’s GDPR. Let us understand a few terms
Personal Data: This is information that relates to an individual, and can be used to identify them, and includes data such as – Name, contact details – Email ID, Phone number, Fingerprint, web history, cookie data, etc
Sensitive Personal Data: The following personal data is considered ‘sensitive’ and is subject to specific processing conditions: passwords, financial data, data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, caste/ tribe/ community identifiers, health-related data, data concerning a person’s sexual orientation, biometric and genetic data
Data Principal: A “data principal” is a living individual to whom personal data relates.
Data Fiduciary: A “data fiduciary” is a person, business, or other organization that decides why and how to process personal data. E.g. Facebook, Amazon, Google, etc. In general, a data fiduciary – as a direct relationship with the Data Principal, i.e. the user Decides how to process personal data to achieve a business purpose
Data Processor: A data processor is someone who processes data on behalf of a Data Fiduciary but is not an employee of the Data Fiduciary. An example can be thirrd party email companies such as Mailchimp or Sendgrid. These companies are processing someone else’s data, the responsibility in such cases lies with the data fiduciary.
Data Protection Authority: It is an independent body. GDPR for Europe, PDPB for India, whose responsibilities include –
Developing laws, policies, and guidelines for data protection
Examining data audit reports
Enforcing the laws and imposing penalties for violators
Does PDPB apply to all?
The PDPB applies to both Indian and non-Indian companies. If a company has no presence in India, the PDPB still applies if the company:
Offers goods and services to individuals in India, or
Profiles individuals within India
Takes payment in rupees
Ships products to India
Advertises to Indian customers
What is surprising is that if you are a company that uses personalized advertising, and your website is accessible in India, then you should comply with the PDPB. This would apply even if you aren’t actively seeking Indian customers or consumers.