Governance & Risk Management , Privacy
Attorney Argues That India Needs Its Own GDPR
Cyber Lawyer Vaishali Bhagwat on Protecting PrivacyDespite having the Information Technology Act, which covers aspects of privacy, India needs a separate privacy law along the lines of the EU's General Data Protection Act, argues cyber lawyer and advocate Vaishali Bhagwat.
See Also: Netskope FERPA Mapping Guide
"If you look at how the IT Act has been framed, it talks about the liability of body corporates for possessing personal sensitive data," he notes in an interview with Information Security Media Group. "Body corporates are held responsible for content that gets passed onto intermediaries like Facebook, Google, Apple and Amazon. But there is nothing in the Act which mentions taking action against these intermediaries." (See: Senators Raise Issue of Regulating Facebook>)
All these large platforms are in custody of personal data of Indian citizens, Bhagwat points out. "Many a times during investigations, we in India struggle to get data of our own citizens. The Facebook-Cambridge Analytica saga is one of the glaring examples of what is happening with data. So a Data Protection Act is a must in India.
In this interview (see edited transcript below), Bhagwat also discusses:
- GDPR's impact on privacy awareness;
- Why data should be stored locally;
- Why the IT Act is not enough to protect personal sensitive information.
Bhagwat is managing partner with VP Shintre & Associates, a law firm based in Pune. She has more than 20 years experience in litigation and non-litigation practice. Bhagwat is the first lawyer in the country who was selected in the TCS Chevening Scholarship program on Cyber Defense and international collaboration on cyber policy by the British High Commission and Tata Consultancy Services.
Privacy Priority
SUPARNA GOSWAMI: Discussions about GDPR are now common in the board room. As a lawyer, what changes are you seeing in terms of organizations' attitudes toward privacy?
VAISHALI BHAGWAT: Historically, our country has not been very aware or sensitive about privacy as we Indians in general are not very private people. Having said this, one can't deny the fact that because of this information age coming in, there's so much data getting into circulation and we're voluntarily participating in giving our data away.
The Information Technology Act and the rules notified in 2008 and then 2013,introduced a regime for protection of personal and sensitive information of our citizens. However, back then, corporates did not pay much attention to this, and neither were the citizens aware nor did they care about this provision being there in the legislation.
But suddenly, with the advent of GDPR, which is very stringent legislation, things are slowly changing. And with European firms having operations in India and vice versa, most of the companies in India also have a European face. There is no option but for the companies to now comply with GDPR.
GDPR compliance is very complex, and it has to be rolled out over a period of time to catch the essence of what is GDPR compliance. So organizations which are not exposed to European markets have got a sense of the importance of data protection, which otherwise was absent. And, automatically, these companies are now looking at how they can be more proactive toward protecting personal or sensitive personal information. So this is a big change I have witnessed.
New Doubts
GOSWAMI: Despite GDPR coming into effect, there is still lot of confusion around it. What are the queries that are frequently asked?
BHAGWAT: The basic query we usually come across is the kind of data that needs to be looked at for GDPR compliance. So we educate them that if they do not have any exposure to a European market, those companies need not comply with GDPR.(See: Assessing GDPR Compliance Readiness in the Middle East)
But the whole debate and awareness around privacy has made even companies not exposed to GDPR look into what kind of data is getting captured within the organization, where it is getting circulated and where is it getting used. We try to help them to look at how to classify data and what kind of measures that they need to have in place from a legal standpoint.
These companies want to make sure that the personal and the sensitive personal data in their custody is secure, used for the purpose for which it has been collected, and disclosed only as per the purpose that has been stated in the policy.
Need for Data Protection
GOSWAMI: India plans to soon come out with its own Data Protection Act and the first draft is expected to come out soon. Because we already have the IT Act in place, which protects sensitive personal information, what is the need for a Data Protection Act?
BHAGWAT: If you look at how the IT Act has been framed, it talks about the liability of body corporates for possessing personal sensitive data. Body corporates are held responsible for content that gets passed onto intermediaries like Facebook, Google, Apple and Amazon. But there is nothing in the Act which mentions taking action against these intermediaries.
All these large platforms are in custody of personal data of Indian citizens. Many a times during investigations, we in India struggle to get data of our own citizens. The Facebook-Cambridge Analytica saga is one of the glaring examples of what is happening with data. So a Data Protection Act is a must in India.
Data Storage
GOSWAMI: It is being speculated that the Data Protection Act may require companies to store data only in India. Do you think this is something that will get implemented? Is it a practical approach to take?
BHAGWAT: I'm very pro data localization, especially because while working on cases and working with victims, struggling with getting their hands around the data, I have realized that if the data is not locally stored, it's not an easy journey for people like us. (See: Will RBI's Local Data Storage Mandate Be Relaxed?)
And since I don't see international harmonization of laws happening in the near future, data localization becomes all the more important. India is a huge marketplace, and companies are exploiting this market on their terms, not really bothering about the protection of the data of our citizens.