India introduced a new draft law on the protection of PD - another analogue of the GDPR?
In our blog, we have already written about the GDPR , its “ victims ” and the situation with the tightening of regulation of the IT sector as a whole. In this article we will talk about the protection of PD in India.
In particular, it will be a question of the new bill presented at the end of July of this year.
Consider its main provisions and tell about the criticism in the community.
')
/ photo ruben alexander CC
The development of a draft law on the protection of PD ( Personal Data Protection Bill , 2018) was carried out for almost a year by members of the Committee of Justice. Shrikrishna (Justice Srikrishna Committee). The document was drafted taking into account the specifics of IT regulation in India, but foreign experience was also introduced. Therefore, those who familiarized themselves with the document immediately noted that in many respects it resembled the GDPR.
Consider the key provisions of the document:
Personal owners in the document are called Data Principal (and not a Data Subject as in the GDPR). And they have the following rights ( page 14, chapter 6 ):
It is worth noting that the Committee also took care of the children: a separate chapter is devoted to the protection of their data, which sets out the duties of PD operators ( page 13, chapter 5 ). For example, it states that the operator is obliged to organize mechanisms for checking age, as well as to limit the tracking of behavior and the display of targeted advertising on the site.
Everyone who collects and processes personal data of people in India calls the Data Fiduciary - the person who entrusted the data (lawyers call him a "fiduciary" or "fiduciary": he is responsible for the property of another person - in this case, the data are subject ).
And they are subject to a number of requirements when processing PD ( page 17, chapter 7 ). For example, they must comply with the concept of Privacy by Design. This means that all applied technologies, security policies and business management must be “sharpened” to preserve the integrity of the PD and prevent possible unpleasant consequences for their owners (for example, data leaks).
In addition, fiduciaries are required to appoint a data protection officer ( DPO ) in their company, keep records of all operations with PD, as well as be audited and notify about data leaks within the deadlines established by a special supervisory authority.
A Data Protection Authority of India (DPA) authority will be created in the country to monitor compliance with the law. The size of fines for non-compliance with the requirements of the law is approximately equal to that provided for by European legislation. For example, PD operators face penalties of up to $ 2 million (or 4% of annual turnover) for allowing database hacking.
At the same time, Article 10 ( page 29 of the document ) states that members of the DPA must be people with more than ten years of experience in the field of data protection and related fields. Therefore, we can assume that the posts will be occupied by people with deep technical knowledge and understanding of the principles of the technology.
This is stated in article 8 ( page 23 ). It's all about the policy of "cyber sovereignty", which decided to follow the authorities. The bill prohibits companies from transferring data outside the country, unless they have obtained permits from the AP, the DPA or the state and other details have not been observed. Potentially, this requirement may create additional difficulties for both local companies and foreign cloud providers.
PD can be unconditionally stored abroad only in the event of emergency situations (the state of health of the owner of the PD, the threat to his life, etc., when it is necessary to act promptly).
Together with the draft law, the Committee of Justice. Shrikrishny provided the rationale for all the provisions and his recommendations on the protection of PD in the country. The authors explain that in developing the document they used the concept of a triangle , the top of which was the interests of the citizens of India, and the bases were the interests of business and the state. By this, they probably want to emphasize that the bill takes into account the rights of all who it touches.
However, not all "vertices of the triangle" agree with them. A number of provisions of the bill have been criticized.
The Chairperson of the Mozilla Foundation, Mitchell Baker (Mitchell Baker), expressed her concerns about the exceptions for the state mentioned in the document ( Chapter 9 ) - the causes and tasks of processing PD by government agencies (for example, archiving or statistical analysis) are not clearly defined.
The ban on conducting “reidentification” research was seriously criticized when it is determined by the impersonal data of the identity of their owner. Such studies help to improve PD protection technologies and provide statistics on leakages or the level of data security in a company.
According to the text of the new bill, such tests can now be carried out only with the consent of the PD operator (otherwise a fine of 3 thousand dollars is imposed). This should help avoid possible “discharges” of databases with PD in India. On the other hand, information security specialists emphasize that the ban on reidentification does not solve the problem.
All this may lead to the fact that companies processing personal data will refuse to conduct tests if they are not sure of the “quality” of the de-anonymization performed by them. Hacking systems of such companies (which, obviously, do not require permission to hack), the consequences can be serious.
For example, 2017 in the United Kingdom also suggested banning reidentification studies, but thought about security in time.
The new bill needs to go through a number of instances: from the Ministry of IT and Communications to Rajya Sabha, the upper chamber of the Parliament of India, and get their approval. It is likely that due to criticism in its current form, it will not be accepted, because the date of entry into force is still in question.
PS What else do we have on the subject in the IaaS blog:
The main direction of our activity is the provision of cloud services:
Virtual Infrastructure (IaaS) | PCI DSS Hosting | Cloud FZ-152 | SAP Hosting | Virtual Storage | Cloud Encryption | Cloud storage
In particular, it will be a question of the new bill presented at the end of July of this year.
Consider its main provisions and tell about the criticism in the community.
')
/ photo ruben alexander CC
Key provisions
The development of a draft law on the protection of PD ( Personal Data Protection Bill , 2018) was carried out for almost a year by members of the Committee of Justice. Shrikrishna (Justice Srikrishna Committee). The document was drafted taking into account the specifics of IT regulation in India, but foreign experience was also introduced. Therefore, those who familiarized themselves with the document immediately noted that in many respects it resembled the GDPR.
Consider the key provisions of the document:
Citizens will get more control over PD
Personal owners in the document are called Data Principal (and not a Data Subject as in the GDPR). And they have the following rights ( page 14, chapter 6 ):
- the right to know whether the operator processes certain APs;
- the right to change data if it is incorrect or outdated;
- the right to demand to submit your data in electronic format;
- the right to oblivion / restriction of publicity or termination of the use of PD.
It is worth noting that the Committee also took care of the children: a separate chapter is devoted to the protection of their data, which sets out the duties of PD operators ( page 13, chapter 5 ). For example, it states that the operator is obliged to organize mechanisms for checking age, as well as to limit the tracking of behavior and the display of targeted advertising on the site.
New requirements for PD operators
Everyone who collects and processes personal data of people in India calls the Data Fiduciary - the person who entrusted the data (lawyers call him a "fiduciary" or "fiduciary": he is responsible for the property of another person - in this case, the data are subject ).
And they are subject to a number of requirements when processing PD ( page 17, chapter 7 ). For example, they must comply with the concept of Privacy by Design. This means that all applied technologies, security policies and business management must be “sharpened” to preserve the integrity of the PD and prevent possible unpleasant consequences for their owners (for example, data leaks).
In addition, fiduciaries are required to appoint a data protection officer ( DPO ) in their company, keep records of all operations with PD, as well as be audited and notify about data leaks within the deadlines established by a special supervisory authority.
By the way, about the supervisory authorities
A Data Protection Authority of India (DPA) authority will be created in the country to monitor compliance with the law. The size of fines for non-compliance with the requirements of the law is approximately equal to that provided for by European legislation. For example, PD operators face penalties of up to $ 2 million (or 4% of annual turnover) for allowing database hacking.
At the same time, Article 10 ( page 29 of the document ) states that members of the DPA must be people with more than ten years of experience in the field of data protection and related fields. Therefore, we can assume that the posts will be occupied by people with deep technical knowledge and understanding of the principles of the technology.
Copies of PD will need to be stored on servers in India
This is stated in article 8 ( page 23 ). It's all about the policy of "cyber sovereignty", which decided to follow the authorities. The bill prohibits companies from transferring data outside the country, unless they have obtained permits from the AP, the DPA or the state and other details have not been observed. Potentially, this requirement may create additional difficulties for both local companies and foreign cloud providers.
PD can be unconditionally stored abroad only in the event of emergency situations (the state of health of the owner of the PD, the threat to his life, etc., when it is necessary to act promptly).
How to take the bill
Together with the draft law, the Committee of Justice. Shrikrishny provided the rationale for all the provisions and his recommendations on the protection of PD in the country. The authors explain that in developing the document they used the concept of a triangle , the top of which was the interests of the citizens of India, and the bases were the interests of business and the state. By this, they probably want to emphasize that the bill takes into account the rights of all who it touches.
However, not all "vertices of the triangle" agree with them. A number of provisions of the bill have been criticized.
The Chairperson of the Mozilla Foundation, Mitchell Baker (Mitchell Baker), expressed her concerns about the exceptions for the state mentioned in the document ( Chapter 9 ) - the causes and tasks of processing PD by government agencies (for example, archiving or statistical analysis) are not clearly defined.
The ban on conducting “reidentification” research was seriously criticized when it is determined by the impersonal data of the identity of their owner. Such studies help to improve PD protection technologies and provide statistics on leakages or the level of data security in a company.
According to the text of the new bill, such tests can now be carried out only with the consent of the PD operator (otherwise a fine of 3 thousand dollars is imposed). This should help avoid possible “discharges” of databases with PD in India. On the other hand, information security specialists emphasize that the ban on reidentification does not solve the problem.
All this may lead to the fact that companies processing personal data will refuse to conduct tests if they are not sure of the “quality” of the de-anonymization performed by them. Hacking systems of such companies (which, obviously, do not require permission to hack), the consequences can be serious.
For example, 2017 in the United Kingdom also suggested banning reidentification studies, but thought about security in time.
What's next
The new bill needs to go through a number of instances: from the Ministry of IT and Communications to Rajya Sabha, the upper chamber of the Parliament of India, and get their approval. It is likely that due to criticism in its current form, it will not be accepted, because the date of entry into force is still in question.
PS What else do we have on the subject in the IaaS blog:
- How to handle PD in the cloud
- What to consider PD from the point of view of the Russian regulator
- PD in the cloud: areas of responsibility of the customer and the cloud provider
The main direction of our activity is the provision of cloud services:
Virtual Infrastructure (IaaS) | PCI DSS Hosting | Cloud FZ-152 | SAP Hosting | Virtual Storage | Cloud Encryption | Cloud storage
Source: https://habr.com/ru/post/419257/
All Articles