India's Data Protection Bill Draft: The ReactionSome Criticize Proposal for Lack of Details, Implementation Challenges
Reacting to the draft of a new data protection bill for India, which was released Friday, many security and privacy experts are saying the bill is thin on specifics and that if it's enacted into law, some of its provisions could prove challenging to implement (see: Data Protection Bill Draft Released)
See Also: Why Metadata Isn't Enough
"The committee took a long time to come out with the bill and we all expected a better version of it. One can't just copy and paste GDPR in India," says the CISO of a pharmaceutical company, who asked not to be identified. "It's only a draft, but we wouldn't want the committee take another year to come out with a revised bill. The entire process is too long."
Vicky Shah, a cyber lawyer, notes: "The [draft bill] states that foreign companies need to have a copy of data of Indians in the country. Why not insist on complete data localization? Also, they should have mentioned the time frame within which foreign companies must share data with the government when asked for. As of now nothing has been mentioned. This mandate doesn't even claim to keep your data safer."
Right to Be Forgotten
The draft data protection bill follows in the footsteps of the EU's General Data Protection Regulation in calling for Indian's to have the "right to be forgotten."
The right to be forgotten refers to the ability of individuals to demand that data holders limit, de-link, delete or correct the disclosure of personal information on the internet that is misleading, embarrassing or irrelevant.
Some CISOs in India says the proposed "right to be forgotten" provision isn't well-suited for the nation.
"In India there is no notion about privacy. To have a provision like the right to be forgotten is too much investment and hassle for any company," says Subhajit Deb, CISO at Dr. Reddy's Laboratories. "The committee just can't have a GDPR look-alike bill in India since the factors at play here are very different from Europe."
Aditya Khullar, technical leader, cybersecurity at PayTm, India's largest mobile wallet, says the clause would be challenging to implement.
"It will be difficult for the fiduciary to track all the places where data is shared," Khullar says. "From an operational perspective, the company will have to create systems to take this into account and then in reality would have to create channels for customers to say that they want to be forgotten. Considering this, the right to be forgotten clause in data protection draft bill is very tricky to implement."
If the right to be forgotten, indeed, becomes law, CISOs will need to be part of the data governance processes for designing and implementing of the controls, says Satyanandan Atyam, CISO and data privacy officer at Bharti Axa, an insurance firm. "The security controls for the data in rest, data in store and data in motion need to designed and constantly reviewed by the CISO function if the bill gets approved," he says.
The bill would create some exceptions to the requirement to delete consumers' data upon request, such as when certain data is needed for judicial or regulatory purposes. But it's unclear what unit of government would rule on those exceptions, Deb argues.
"Who will call these out?" he asks. "Under GDPR, the data protection authority has been made responsible. Organizations needing clarifications can reach out to a DPA. The proposed bill fails to address this issue."
Data Breach Notification
The draft bill would require that companies across all industries report to the data protection authority about data breaches. But it does not establish a deadline for how soon breaches must be reported.
"I personally feel it's a big miss," Deb says. "Organizations can report a breach after a year or two of discovering it. Is there a point if a disclosure happens years after a breach has taken place?"
But the fact that organizations will have to report breaches is expected to make them more careful in handling personally identifiable information. "This personal data is probably unnecessarily accessible to staff and suppliers because they are held in applications, or in storage or in transit," says Agnidipta Sarkar, global information risk and continuity officer at DXC Technology. "Hopefully it will be carefully handed now."
The committee that drafted the bill is of the view that India need not take extreme stand when it comes to data localization. Taking a middle path, the proposed bill recommends foreign companies keep a copy of data on Indians in India.
The move is expected to help remove the legal hurdles to obtaining data residing in the foreign location.
Some security experts, however, expected the bill drafters to take a stronger stand on data localization. "India is a big market for most foreign firms. We have the power to flex our muscles as they can't do without us. We should have taken a stronger stand on data localization," says Vaishali Bhagwat, a cyber advocate.
Amendments to Aadhaar
With the backdrop of frequent Aadhaar leaks, the committee recommended the government amend certain portions of the Aadhaar Act to bolster privacy protections and enhance multifactor authentication for Aadhaar-enabled transactions.
The committee recommended adding an offline verification process for Aadhaar, increasing or creating civil and criminal penalties for contravening the Aadhaar Act and adding a new adjudication process to address disputes arising out of Aadhaar. It also recommended appointing an adjudicating officer above the rank of a joint secretary in the Union government with the power to make inquiries in cases where the Aadhaar Act is found to have been violated.
But the process of appointing the officer lies with the government, making the regulator never completely independent.
Another aspect of the #DataProtectionBill that needs careful thinking is how the law may apply to the government. In that context, the broad exemption for state interest is worrying. Especially when central and state laws have a separate exemption (1/n)— Subhashish Bhadra (@Subhashish30) July 27, 2018
Furthermore, the committee doesn't spell out clearly who is to be held responsible if an Aadhaar breach happens.
Need for Enforcement
Security practitioners say a new data protection law won't have much impact unless it's actually enforced.
"In India we have multiple laws and regulations. ... Approaching a court for legal remediation has always been a challenge. Hopefully these things will be taken care of," Shah says.
If India enacts a new data protection law, CISOs would have to "review threat vectors and introduce the new measures and controls to contain the data leakage points," Atyam says. "The law [would lead to the] introduction of frequent risk-based reviews, CISO involvement in defining the clauses for the outsourcing contracts and new data security tools being implemented."
Managing Editor Geetha Nandikotur contributed to this story.