Tsaaro Survey: Upcoming bill should provide for an independent data protection authority similar to GDPR
Tsaaro announced the key findings of its survey on people’s expectations from the upcoming Personal Data Protection Bill 2019. The extensive study saw participation from more than 200 Privacy Professionals across Education, Healthcare, Information Technology, Banking & Finance, and other sectors. Tsaaro aimed to gather valuable insights and on that basis drafted a detailed report which depicted the stand of people on the draft of the Personal Data Protection Bill.
Over 51% of respondents said they thought the drafted Bill was at par with other global privacy laws such as the GDPR, CCPA & the PIPL. However, most of the participants recommended that the drafted Bill should provide for an independent Data Protection Authority similar to the GDPR. The drafted Bill in its current form allows for excessive Government intervention and therefore it is unlikely that the DPA will function independently.
When participants were asked whether they agree with the proposed provision of inculcating Data Localisation in reference to the organizations which are operating outside India, 70% of the participants agreed to the provision. 93% agreed that Social Media Platforms will have to adhere to Indian Privacy Laws now. A majority of the participants felt that the definition of critical data needs to be worked upon and a total of 71% of participants felt that the definition, as of now, was not up to the standard.
When asked if there should be a restriction on the number of Data Subject Requests an individual is entitled to, 69 % of participants agreed that there should be some form of limit that allows access without infringing on an individual’s rights. While 76% of the respondents agreed that there should be a retrospective application of the provisions of the drafted PDP Bill. Only 10% of the participants responded that the upcoming Bill should be enacted as it is. When asked if consent should be the sole legal basis on which data may be processed, the majority of participants said no, adding that the law should allow for another legal basis on which data can be processed.
Regarding data subject rights, Tsaaro discovered that the majority of participants were worried that the drafted Bill does not guarantee the same rights to Data Subjects as privacy legislation such as the GDPR do.
Further, a majority of the participants were not satisfied that the existing data protection principles are sufficient in light of evolving technology. They felt that once the Bill is enacted there should be a given time wherein the organisation can ensure compliance and there must be a retrospective application of provisions and agreement on Data Localisation as a mandate for Social Media Platform especially to operate in India.
It was suggested that the upcoming Bill should state that in case of data breaches by public bodies they should be held liable for such a breach. Government bodies collect and processes large amounts of Personal Data and Sensitive Personal Data. Therefore they should not be exempted from complying with the provisions in the drafted Bill. In case of data access requests by public bodies, the entity subject to such a request should be obliged to inform this publicly unless the request is for crime or fraud prevention.
The majority of the participants felt that there must exist clear definitions of terms in the upcoming statute, as vague definitions create grey areas and further obstruction in the natural course.
Akarsh Singh, CEO & Co-founder, Tsaaro says, “Data Privacy is a growing concern amidst increasing number in Data Breach Incidents. The much-awaited personal data protection bill which is scheduled to be tabled in the winter session of the parliament starting today has received a mixed response. We wanted to deep-dive into the several possibilities, recommendations as well as a general overview of data privacy experts and professionals. The survey, conducted over the last 3 weeks, has been effective in bringing to light the key pain points of the industry and we hope to bring insights for people in general as well as the policy-makers to consider.”
The company aims to modernise training technologies and become a digital competence centre. The Academy is developing suitable strategies to partner with more specific and industry players to extend their services and also to provide more improvised training. The company take a pragmatic, risk-based approach to provide its clients with real-world, workable advice, guidance, and support that helps them to deal with a wide range of security and privacy-related challenges.