While the Personal Data Protection (PDP) Bill, 2019, introduced in Parliament on Wednesday has toned down the data localisation requirements, it has several implications for social media companies including a provision for users for voluntary verification of their accounts, say experts.
The Bill draws its origins from the Justice B.N. Srikrishna Committee on data privacy, which produced a draft of legislation that was made public in 2018 (“the Srikrishna Bill”).
The mandatory requirement for storing a mirror copy of all personal data in India as per Section 40 of the Srikrishna Bill has been done away with in the PDP Bill, 2019, meaning that companies like Facebook and Twitter would be able to store data of Indian users abroad if they so wish, said Prasanth Sugathan, Legal Director at SFLC.in, a New Delhi-based not-for-profit legal services organisation.
“Data localisation has been toned down. Now only sensitive personal data and critical personal data have to be stored here,” Sugathan said.
“Social media companies will have to modify their application. They need to have a system in place by which a user can verify themselves. So probably some system to upload identification documents should be there. And it also suggests that something like the Twitter blue tick mark should be there to identify verified accounts,” Sugathan said.
“But it is up to the user whether he or she wants to verify themselves or not. I am not sure why something like this is required in the data protection law,” he pointed out.
According to Arun Prabhu, Partner, Cyril Amarchand Mangaldas, certain changes made to the draft Bill are business friendly including the changes made to the data localisations requirements.
“On the other hand, portions of the Bill have been pared down, and some changes such as the lack of a clear implementation timeline, requirement to share non personal data, obligations for social media verification etc. may be a potential source of concern,” Prabhu said.
The PDP Bill, 2019 extends the obligations of significant data processors or fiduciaries to social media intermediaries (SMI).
Verified user accounts will be marked with a demonstrable verification mark. As per Section 29, data auditors are required to evaluate social media intermediaries for timely implementation of their obligations under account verification norms.
Other obligations applicable to social media intermediaries include data protection impact assessments, maintenance of records, audit of policies, and appointment of a data protection officer.
What has, however, raised eyebrows is that the Bill gives the government ultimate rights and powers to seek access to users’ data to help formulate policies.
Section 42 of the Draft Personal Data Protection Bill, 2018 allowed access of personal data to the state for security purposes based on principles of necessity and proportionality and on the basis of authorisation under law.
The provision for government access to personal data under the PDP Bill, 2019 (Section 35) is wider, gives the Central Government power to exempt any government agency from the purview of the Bill (all or select provisions) and does not codify the principles of necessity and proportionality as determinants to access, SFLC.in said.
“While the Personal Data Protection Bill 2019 addresses the issue of informed consent, it only states that the data fiduciary must process data in a fair and reasonable manner that respects the privacy of the individual,” said Swapnil Shekhar, Co-founder & Director, Sambodhi Research and Communications.
“The Bill does not specify what constitutes fair and reasonable leaving room for the potential violation of privacy,” Shekhar said.
“The future may bring challenging times for social media companies to comply with the private data related requests under the new law if it’s approved as tabled. Many popular social media platforms would have to invest significantly in order to adhere to the data sharing requests and yet may not be able to meet the requests due to technical difficulties,” said Sunil Chandna, CEO, Stellar Data Recovery. (IANS)