India introduced a new draft law on the protection of PD - another analogue of the GDPR?
In our blog, we have already written about the GDPR , its “ victims ” and the situation with the tightening of regulation of the IT sector as a whole. In this article we will talk about the protection of PD in India.
In particular, it will be a question of the new bill presented at the end of July of this year.
Consider its main provisions and tell about the criticism in the community.
/ photo by ruben alexander CC
The development of a draft law on the protection of PD ( Personal Data Protection Bill , 2018) was carried out for almost a year by members of the Committee of Justice. Shrikrishna (Justice Srikrishna Committee). The document was drafted taking into account the specifics of IT regulation in India, but foreign experience was also introduced. Therefore, those who familiarized themselves with the document immediately noted that in many respects it resembled the GDPR.
Consider the key provisions prescribed in the document:
Personal owners in the document are called Data Principal (and not a Data Subject as in GDPR). And they have the following rights ( page 14, chapter 6 ):
It is worth noting that the Committee also took care of the children: a separate chapter is devoted to the protection of their data, which sets out the duties of PD operators ( page 13, chapter 5 ). For example, it states that the operator must organize mechanisms for checking age, and also limit the tracking of behavior and the display of targeted advertising on the site.
Everyone who collects and processes personal data of people in India calls the Data Fiduciary - the person who entrusted the data (lawyers call him a "fiduciary" or "fiduciary": he is responsible for the property of another person - in this case, the data are subject ).
And they are subject to a number of requirements when processing PD ( page 17, chapter 7 ). For example, they must comply with the concept of Privacy by Design. This means that all applied technologies, security policies and business management must be “sharpened” to preserve the integrity of the PD and prevent possible unpleasant consequences for their owners (for example, data leakage).
In addition, fiduciaries are required to appoint a data protection officer (DPO ) in your company, store information about all operations with PD, as well as be audited and notify about data leaks in the terms established by a special supervisory authority.
A Data Protection Authority of India (DPA) body will be created in the country to monitor compliance with the law. The amount of fines for non-compliance with the requirements of the law is approximately the same as that provided for by European legislation. For example, PD operators face penalties of up to $ 2 million (or 4% of annual turnover) for allowing database hacking.
At the same time, Article 10 ( page 29 of the document ) states that members of the DPA must be people with more than ten years of experience in the field of data protection and related fields. Therefore, it can be assumed that the posts will be occupied by people with deep technical knowledge and understanding of the principles of the technology.
This is stated in article 8 ( page 23 ). It's all about the policy of "cyber sovereignty", which decided to follow the authorities. The bill prohibits companies from transferring data outside the country if they do not receive permits from the AP, the DPA or the state and other details are not observed. Potentially, this requirement may create additional difficulties for both local companies and foreign cloud providers.
PD can be unconditionally stored abroad only in the event of emergency situations (the state of health of the owner of the PD, the threat to his life, etc., when it is necessary to act promptly).
Together with the draft law, the Committee of Justice. Shrikrishny provided a rationale for all the provisions and his recommendations for the protection of PD in the country. The authors explain that in developing the document they used the concept of a triangle , the top of which was the interests of the citizens of India, and the bases were the interests of business and the state. By this, they probably want to emphasize that the bill takes into account the rights of all who it touches.
However, not all “vertices of the triangle” agree with them. A number of provisions of the bill have been criticized.
The Mozilla Foundation Chair Mitchell Baker (Mitchell Baker) expressed her concerns about exceptions for the state mentioned in the document ( Chapter 9) - the causes and tasks of processing PD by government agencies (for example, archiving or statistical analysis) are not clearly spelled out.
The ban on conducting “reidentification” research was seriously criticized , when it is determined by the impersonal identity of their owner. Such studies help to improve the technology of protection of PD and provide statistics on leaks or the level of data security in a company.
According to the text of the new bill, such tests can now be carried out only with the consent of the PD operator (otherwise a fine of 3 thousand dollars is imposed). This should help avoid possible “discharges” of databases with PD in India. On the other hand, information security specialists emphasizethat the ban on reidentification does not solve the problem.
All this may lead to the fact that companies processing personal data will refuse to conduct tests if they are not sure of the “quality” of the de-anonymization performed by them. Hacking the systems of such companies by hackers (who obviously do not need permission to hack), the consequences can be serious.
For example, 2017 in the UK also suggested banning research on reidentification, but thought about it in time for security reasons.
The new bill needs to go through a number of instances: from the Ministry of IT and Communications to the Rajya Sabha Upper Chamber of the Indian Parliament and get their approval. It is likely that due to criticism in its current form, it will not be accepted, because the date of entry into force is still in question.
PS What else do we have on the subject in the IaaS blog:
The main direction of our activity is the provision of cloud services:
Virtual Infrastructure (IaaS) | PCI DSS Hosting | Cloud FZ-152 | SAP Hosting | Virtual Storage | Cloud Encryption | Cloud storage
In particular, it will be a question of the new bill presented at the end of July of this year.
Consider its main provisions and tell about the criticism in the community.
/ photo by ruben alexander CC
Key provisions
The development of a draft law on the protection of PD ( Personal Data Protection Bill , 2018) was carried out for almost a year by members of the Committee of Justice. Shrikrishna (Justice Srikrishna Committee). The document was drafted taking into account the specifics of IT regulation in India, but foreign experience was also introduced. Therefore, those who familiarized themselves with the document immediately noted that in many respects it resembled the GDPR.
Consider the key provisions prescribed in the document:
Citizens will get more control over PD
Personal owners in the document are called Data Principal (and not a Data Subject as in GDPR). And they have the following rights ( page 14, chapter 6 ):
- the right to know whether the operator processes certain APs;
- the right to change data if it is incorrect or outdated;
- the right to demand to submit your data in electronic format;
- the right to oblivion / restriction of publicity or termination of the use of PD.
It is worth noting that the Committee also took care of the children: a separate chapter is devoted to the protection of their data, which sets out the duties of PD operators ( page 13, chapter 5 ). For example, it states that the operator must organize mechanisms for checking age, and also limit the tracking of behavior and the display of targeted advertising on the site.
New requirements for PD operators
Everyone who collects and processes personal data of people in India calls the Data Fiduciary - the person who entrusted the data (lawyers call him a "fiduciary" or "fiduciary": he is responsible for the property of another person - in this case, the data are subject ).
And they are subject to a number of requirements when processing PD ( page 17, chapter 7 ). For example, they must comply with the concept of Privacy by Design. This means that all applied technologies, security policies and business management must be “sharpened” to preserve the integrity of the PD and prevent possible unpleasant consequences for their owners (for example, data leakage).
In addition, fiduciaries are required to appoint a data protection officer (DPO ) in your company, store information about all operations with PD, as well as be audited and notify about data leaks in the terms established by a special supervisory authority.
By the way, about the supervisory authorities
A Data Protection Authority of India (DPA) body will be created in the country to monitor compliance with the law. The amount of fines for non-compliance with the requirements of the law is approximately the same as that provided for by European legislation. For example, PD operators face penalties of up to $ 2 million (or 4% of annual turnover) for allowing database hacking.
At the same time, Article 10 ( page 29 of the document ) states that members of the DPA must be people with more than ten years of experience in the field of data protection and related fields. Therefore, it can be assumed that the posts will be occupied by people with deep technical knowledge and understanding of the principles of the technology.
Copies of PD will need to be stored on servers in India
This is stated in article 8 ( page 23 ). It's all about the policy of "cyber sovereignty", which decided to follow the authorities. The bill prohibits companies from transferring data outside the country if they do not receive permits from the AP, the DPA or the state and other details are not observed. Potentially, this requirement may create additional difficulties for both local companies and foreign cloud providers.
PD can be unconditionally stored abroad only in the event of emergency situations (the state of health of the owner of the PD, the threat to his life, etc., when it is necessary to act promptly).
How to take the bill
Together with the draft law, the Committee of Justice. Shrikrishny provided a rationale for all the provisions and his recommendations for the protection of PD in the country. The authors explain that in developing the document they used the concept of a triangle , the top of which was the interests of the citizens of India, and the bases were the interests of business and the state. By this, they probably want to emphasize that the bill takes into account the rights of all who it touches.
However, not all “vertices of the triangle” agree with them. A number of provisions of the bill have been criticized.
The Mozilla Foundation Chair Mitchell Baker (Mitchell Baker) expressed her concerns about exceptions for the state mentioned in the document ( Chapter 9) - the causes and tasks of processing PD by government agencies (for example, archiving or statistical analysis) are not clearly spelled out.
The ban on conducting “reidentification” research was seriously criticized , when it is determined by the impersonal identity of their owner. Such studies help to improve the technology of protection of PD and provide statistics on leaks or the level of data security in a company.
According to the text of the new bill, such tests can now be carried out only with the consent of the PD operator (otherwise a fine of 3 thousand dollars is imposed). This should help avoid possible “discharges” of databases with PD in India. On the other hand, information security specialists emphasizethat the ban on reidentification does not solve the problem.
All this may lead to the fact that companies processing personal data will refuse to conduct tests if they are not sure of the “quality” of the de-anonymization performed by them. Hacking the systems of such companies by hackers (who obviously do not need permission to hack), the consequences can be serious.
For example, 2017 in the UK also suggested banning research on reidentification, but thought about it in time for security reasons.
What's next
The new bill needs to go through a number of instances: from the Ministry of IT and Communications to the Rajya Sabha Upper Chamber of the Indian Parliament and get their approval. It is likely that due to criticism in its current form, it will not be accepted, because the date of entry into force is still in question.
PS What else do we have on the subject in the IaaS blog:
- How to handle PD in the cloud
- What to consider PD from the point of view of the Russian regulator
- PD in the cloud: areas of responsibility of the customer and the cloud provider
The main direction of our activity is the provision of cloud services:
Virtual Infrastructure (IaaS) | PCI DSS Hosting | Cloud FZ-152 | SAP Hosting | Virtual Storage | Cloud Encryption | Cloud storage