The government’s proposed legal framework known as Personal Data Protection Bill for the use of personal data and preventing its misuse — which has been drafted on the lines of the European Union’s General Data Protection Regulation (GDPR) — is likely to impact sectors such as e-commerce, streaming platforms, financial services, IT among others.
The bill was tabled in the Indian Parliament on December 11 and is now being reviewed by a joint panel of Parliament. If it is passed in the current form and shape, the bill is likely to increase the cost of operations for marketing agencies and could pose obstacles in the implementation of personalised marketing campaigns. The bill has divided data into three segments — personal, sensitive personal and critical personal.
The companies will have to take explicit consent from users before processing personal data and inform the user about the nature and categories of personal data being collected and the purpose for which the data will be processed. The user will also have to be informed about other entities the data will be shared with.
The proposed provisions that may hit the sectors:
1. The bill mandates that user consent should be obtained for storing and processing of personal data by companies.
Impact: So if a marketing network is storing your data and processing it to serve personalised ads to you, it will need user consent to do so.
2. Biometric data falls in the category of sensitive and cannot be processed unless specifically permitted by law.
Impact: For India's rising voice search industry, it could be a roadblock as they won't be able to process the data freely and would have to seek specific permission from the authorities. Experts believe this clause might be diluted during the review of the bill by a committee of MPs.
Google was asked to halt its analysis on the voice search after Article 66 was implemented by GDPR. If we look at it from the same perspective, yes, it would mean holding on until the regulations are strong enough to encapsulate how voice search results can bring in growth for marketers.
3. Data that has been defined as sensitive or critical has to be stored in India.
Impact: If a global ad network or platforms such as Google or Facebook are storing your health and financial data among other things, it has to be stored in India. Even for processing if it goes to their global headquarters, user consent will be required.
4. Empowers citizens to correct, erase and forget their personal data.
Impact: No social media network or search engine or an ad network can keep your data forever, unless you want it. Under the proposed provisions, the user has the right to erase. A consent manager will be there to enable users to gain, withdraw, review and manage their consent.
5. Large social media platforms to be tagged as significant fiduciaries.
Impact: Large scale data processors that are social media platforms will be tagged as significant fiduciaries by the government and will come under more compliance and responsibility, including offering voluntary user verification.
6. Companies may get their ‘Privacy by Design’ policy approved by DPA.
Impact: To ensure that the companies are not compromising on user privacy, they may have to get their ‘Privacy by Design’ policy approved by the Data Protection Authority.
7. Children’s data to be processed keeping in mind the rights and interests of the child.
Impact: When it comes to marketing to kids or serving content to kids, companies need to be more responsible and should have safeguards built in their system.
8. Penalty provisions for companies in noncompliance.
Impact: The bill provides for a penalty of up to Rs 15 crore or 4% of global turnover for companies that violate of provisions regarding processing personal data, processing personal data of children, transferring data outside India and other security safeguards.