The sudden upsurge of concern for personal data by these organisations was the result of a new regulation by the European Union. The General Data Protection Regulation (GDPR) was notified in 2016 and it came into effect on May 25, 2018. The new law forced companies to rethink the manner in which they obtain, store and use the personal information of those signing up to use their products and services. Organisations found themselves scrambling to update their infrastructure in order to comply with the new regulations that allowed subjects greater control over their data.
Though India does not fall under the ambit of the GDPR which only applies to citizens of the EU, the implications of it are far-reaching. Almost all global organisations have had to change their information architecture in order to cater to the EU market, which implies that other nations without such stringent regulations have also accrued some benefits.
Close on the heels of the General Data Protection Regulation coming into effect, a ten-member committee headed by retired Supreme Court Judge Justice B N Srikrishna will submit the draft Data Protection Bill for India by the end of this week. The committee was constituted in August 2017 to evolve a framework for data protection in India. The main aim of the bill is to ensure the growth of digital economy in the country while safeguarding the personal data of millions of citizens.
While the draft bill by the Srikrishna committee is under lock and key until submission, a group of privacy activists published a set of guidelines based on the verdict of the Supreme Court in retired judge Puttaswamy Vs Union of India where the apexcourt of the land recognised the right to privacy as a fundamental right. The effort stemmed from the belief that the draft bill might take a narrow view with a fixation on data and ignore the crucial aspects of privacy.
Saveourprivacy.in is a community driven project whose model privacy bill puts the rights of citizens at the heart. The people involved in the effort include lawyers, policy analysts and those in the field of information technology. The Indian Privacy Code released by the group calls for the framework to legally codify principles of privacy so as to avoid it being weaponised against fundamental right to expression and right to information.
The group has called for restrictions on public and private entities collecting data from the people and the manner in which such information is used. Along with it is the need for enforceable rights for the citizens with regard to their data. The code also demands an institutional framework for the same at the central and state levels.
Indians are more vulnerable than ever to data theft, loss of personal information or misuse of data. The threat may come from individuals and organisations exploiting the loopholes in the law and the lax approach to data protection that has been seen thus far. The coming months will be crucial for the country in making comprehensive strides towards data protection.
What does GDPR mean?
The General Data Protection Regulations (GDPR) was evolved by the European Union (EU) to strengthen the rights of EU residents over their data and to harmonise the data protection laws across all member states.
- The provisions of GDPR are applicable to all organisations that control or process personal data of EU residents even if the organisation is not located in the EU.
- The reforms in GDPR are centered around personal data, consent and privacy.
- GDPR expanded on the definition of personal data from previously existing regulations to include items such as biometric data and genetic data.
- GDPR also allows the subjects the right to erasure or the right to be forgotten, where one can make a request to an organisation for the deletion of any personal information it may hold without undue delay.
- Under GDPR, organisations are obligated to notify the respective national bodies and the customers in case of any data breach. They must also clearly outline how they plan on using the data that has been collected.
- Non-compliance to GDPR may cost companies a penalty of 20 million euros or 4% of its annual turnover.
- Many global companies with back-end operations in India and the Business Process Outsourcing sector with access to data of millions of customers based out of the European Union have had to reorganise to comply to the GDPR.
- Though India does not fall under the ambit of the GDPR which only applies to citizens of the EU, the implications of it is far-reaching.
- Almost all global organisations have had to change their information architecture in order to cater to the EU market, which implies that other nations without such stringent regulations have also accrued some benefits.