Once the Data Protection Bill becomes a law after Parliament passes it during the Budget session, citizens can intimate to all digital platforms to delete their past data, Rajeev Chandrasekhar, minister of state for information technology and electronics (MoS for IT & electronics), told FE on Friday.
The minister said that the Big Tech firms’ power, which is a result of them sitting on huge amount of consumer data, will thus get minimised. “No more can they monetise consumer data by using it for any purpose,” he said.
The firms concerned will need to collect data afresh from users and spell out clearly the purpose and usage. They will be booked for data breach if they depart from the purpose for which it was collected, he said. Further, the onus of data breach as a result of theft by employees will lie with the company concerned and the Data Protection Board will levy the penalty on the company, the maximum amount of which has been fixed at Rs 500 crore.
Speaking about how the Bill is consumer-friendly, Chandrasekhar said that such provisions will empower the users who will decide how their data is used. “We have taken care to see that there’s no loophole wherein firms dealing with data say that data residing with them before the law came into force, can be used the way they want as it predates the law,” the minister said.
Chandrasekhar said that firms like Zomato, Swiggy, Ola, Uber, Flipkart, Amazon and the likes have been there for years and, therefore, sitting on a lot of consumer data, which was collected and used all these years without the consumers having any rights and the companies any responsibility. All this is going to change after the Bill becomes a law.
“Once the Bill becomes a law, consumers can ask them as to what information they have regarding them. And if they don’t like the information that they have of them or the amount of information, they can ask the firms to delete them,” the minister said. “This Bill will create a significant behavioural change for all those who collect data because this Bill has, for the first time, a section called obligations of a data fiduciary,” Chandrasekhar added. “That is why we have said data minimisation, purpose limitation and storage limitation. Data minimisation, means you can only collect, what is absolutely minimum required. Purpose limitation means you can only use it for the purpose for which you have acquired the data. And storage limitations is that after you have delivered the service, you have to delete the data,” he said.
The government will also spell out the definition of non-personal data (anonymised data) separately, so the firms will not be free to just remove the name of the users, make it anonymous and use it for any commercial purpose, he added.
The minister said that the proposed Data Protection Board will not be a regulatory body but function like a civil court whose functioning will be scrutinised by high courts and the Supreme Court. So, people raising doubts over it being controlled by the government and, therefore, not independent, are completely wrong, Chandrasekhar said.
On why the government decided to do away with mandatory storage of personal data within the country, which was enshrined in the earlier Bill to allowing cross-flow of data among “trusted geographies”, Chandrasekhar said that one has to rely on trusted geography “as you cannot basically carve out the Internet and say the Internet stops here”.
“We are a liberal democracy. We are a freedom democracy. We are not China, we don’t want to firewall our Internet and, therefore, we believe that data will move back and forth. But where data storage and processing is being envisaged by a data platform that the government of India will specify, meaning which are the trusted jurisdictions,” he said.
The minister said that the trusted jurisdictions will need to maintain the privacy and data protection rights of Indian citizens. And if Indian law enforcement agencies want access to the data on the grounds of criminality or terrorism, the concerned jurisdiction will have to permit that access.
“We will not allow a scenario where a user data is collected by let’s say Facebook or a Zomato or a Swiggy. They choose to use a cloud provider that is headquartered in, let’s say Zambia and the Zambian authorities are able to get all the data from that cloud provider without protecting his/her data. That won’t happen,” Chandrasekhar said.