Will India’s Data Protection law be the Achilles heel of companies?

Will India’s Data Protection law be the Achilles heel of companies?

India’s much-awaited Data Protection Bill is scheduled to be tabled in the winter session of the parliament. With its provisions related to the ‘Right to be Forgotten,’ data localization and ambit of the government to ‘interfere’ in the social media platforms – companies in several sectors will have to re-orient business and compliance models to navigate the regulatory changes.

The Data Protection Bill of 2019 is set for another round of amendments during the winter parliament session of 2021. The Bill aims to protect personal data via regulations. The most striking features of the Bill include the “Right to be Forgotten,” the controversial Clause 35, and Data localization. The “Right to be Forgotten,” which was modelled on the Global Data Protection Regulations (GDPR) of the European Union, allows citizens to ask organisations to delete their personal data. Some experts argue that this clause could increase compliance and procedural costs for companies.

Clause 35 of the Bill allows agencies under the Government of India (GOI) exemptions from provisions of the law in the name of ‘public order, sovereignty and security.’ The GOI’s recent clash with social media platforms over-regulating their platforms’ content has created additional political and reputation risks for this sector. Union Minister Rajeev Chandrasekhar noted, “social media platforms will now be treated as publishers because they publish content” & not intermediaries protected from liability. The unaccountability of social media platforms (such as Facebook and Twitter) over defamatory and illegal content has garnered attention from regulators globally, with countries enacting their own regulations.

Data localization requires companies to store data (especially financial data) of citizens within the country, which will increase the operational cost of data centres and other infra and cyber security risks.

With stricter compliances on the way, companies need to navigate their path towards a sustainable business model after the finalization of the data protection bill. The impact is likely to be felt across sectors – banking, financial transactions, social media platforms, technology giants, etc. India remains a big market for all global companies that will have to devise mechanisms to adjust to the ‘new normal’ – how to collect data, store data, protect data, who to share data with and delete data when required?

Leave a Reply