The Personal Data Protection Bill 2019, currently being analysed by a joint parliamentary committee, would require companies operating in India to make various operational and structural changes for compliance once the provisions of the proposed law come into effect.

For example, the data localisation requirements of the Bill from a purely financial viewpoint are bound to negatively impact businesses. It could drive up costs both for international and Indian players alike, while harming the privacy of users, according to Udbhav Tiwari, Public Policy Advisor at Mozilla.

Today, companies worldwide store and process huge volumes of digital information. Due to such amplitude of user data being with companies and data breaches occuring across the globe, issues like data privacy and protection have gained importance. One of the recent global models of legislation that lays down a framework for data governance is the EU’s GDPR (General Data Protection Regulation) which was adopted in 2016.

“How companies are looking at data has definitely become a boardroom discussion issue. Various regulatory frameworks for the same have already come up, the European Union’s GDPR has aggressive provisions under which companies could have 3 per cent of their revenue at stake, in case of a breach,” Ashwin Yardi CEO, Capgemini Technology Services India Ltd, said.

Data localisation

The Bill in Chapter 7, Section 33 contains restrictions on the transfer of personal data outside India. The cost of compliance for foreign players will be significant.

Firstly, multinational corporations tend to have globally distributed data centre operations. These systems process data in an integrated manner tuned for efficiency. If such players are forced to localise the data of Indian users, they would have to re-architecture their technical infrastructure for data processing completely, explained Udbhav.

Even co-locating their servers in already existing Indian data centres or procuring new servers and equipment in India will increase working capital significantly, factoring in duties, tariffs and storage infrastructure.

As far as companies of Indian origin are concerned, migration of their data to local data centres is likely to hike logistical costs. For instance, a food and lifestyle company of Indian origin uses cloud services hosted in Singapore. In an ICRIER report, it expressed worries about the quality and costs of data services in India if they are forced to migrate.

Mishi Choudhary, tech lawyer and Managing Partner at Mishi Choudhary and Associates, said, “The data localisation requirements of the government showcase a misplaced understanding of the cloud architecture, companies store their data wherever it’s most cost and time-efficient. A data centre is high electricity consuming, minimal employment generating and a highly self-sufficient facility. That’s why many companies have their servers in countries like Iceland, for cost and climate factors.”

However, some Indian players speaking from a protectionist view, feel that this will give local companies competitive leverage as foreign players will have to comply with Indian data regulations and use locally available technology.

Privacy compliance

Chapter 6 of the Bill contains measures relating to transparency and accountability that companies would have to undertake. These include remodelling their privacy policy to state the clear purposes of processing consumer data and appointing a Data Protection Officer (DPO) to advise and regularly assess decisions to protect user privacy. The regulator could also ask companies to get their privacy policy approved and vetted in some cases.

Chapter 2 and 5 of the Bill respectively require companies to take consent of users before processing of their personal data and gives users the right to withdraw consent, update or erase their data.

Manish Sehgal, Partner, Deloitte said, “Compliance costs cannot just be evaluated in terms of dollar value. Take, for instance, the Bill’s requirement for the appointment of a DPO. This will require companies to either recruit especially skilled personnel or upskill their current employees. To adapt to, implement and sustain compliance procedures, there would also be a new set of legal advisors and technology experts required. Time and effort at the leadership level also constitute costs.”

“Since privacy is becoming a competitive advantage in the digital age, redesigning policies to make them more transparent is likely to significantly benefit companies in the long run. Some areas of the Bill, however, such as the possibility of getting privacy by design policies vetted by the Data Protection Authority, could increase compliance for companies. It is still early days, however, and the additional clarity that will arrive by the time the Bill is in force will improve predictability for companies,” said Udbhav.

Penalties and compensations

Like the GDPR, companies under the proposed Bill are liable to penalties and awarding compensation to users, in case of non-compliance. According to Chapter 10 of the Bill, companies could have 4 per cent of their worldwide turnover or ₹15 crore at stake, whichever is higher.

Talking about the implementation period that will be given to companies to meet the requirements of the Bill, Udbhav said, “It is highly unlikely that as soon as the Bill is passed, it will become enforceable. Much like the GDPR and the previous version of the PDP Bill, there will be an implementation timeline provided to the companies by the government, which would likely be a period of 18 to 24 months. The restructuring of operations and compliance policies will, therefore, have to happen over this period.”

Some companies could be left out of the ambit of the Bill if they do not classify as a significant player based on data volumes and turnover. However, those companies could still be asked to comply, if they possess the sensitive personal data of users.

Sector outlook

“According to our industry research, three broad categories of companies have been found vis-a-vis readiness to the PDP Bill. The first category are early adopters: these are companies that mainly have some international affiliation, as privacy is a much more mature subject outside. These companies were fully or partially ready to comply with international standards, and they were anticipating similar compliance measures to kick in here,” said Sehgal.

The second category is the observers; they have done a relative dipstick and made a quick assessment of what cost, time and resource changes will they be required to undertake if the Bill comes in tomorrow.

The third and final category is the reactive enterprises, who are waiting to see the market and industry response to figure out their way forward, he explained.

Related Topics
comment COMMENT NOW