Exclusive Analysis: India's Proposed Data Privacy Bill's ProvisionsPanel of Experts Outlines Gaps, Implementation Challenges
The proposed personal data protection and privacy bill, prepared by the Justice B. N. Srikrishna committee, has many gaps and some provisions that could prove challenging to implement, a panel of experts says (see: India's Data Protection Bill Draft: Reactions)
Information Security Media Group assembled a panel of three security experts to offer analysis of the proposed legislation in an exclusive, in-depth audio interview (see link below image).
Delhi-based Pavan Duggal, advocate, Supreme Court of India and cyber law expert, says the bill is substantially influenced by the EU's General Data Protection Regulation.
"While we want to export a Western concept, we want it to work here," Duggal says. "We must customize our approaches to what actually works here."
Mumbai-based Shivangi Nadkarni, co-founder and CEO of Arrka Consulting, however, stresses that India clearly needs a broad data protection law. "Data is used by anybody without any guidance framework," she says. "It's time for a mechanism to manage it so someone else doesn't profit from our data."
Duggal notes that the draft data protection bill is narrower in scope in defining data breach notification than the details prescribed in the IT Act 2000. "The current [draft] data protection bill is limited to data processing, which is a small component of the Act, and this is going to have undesirable consequences as it is not all looking futuristic," he contends.
The committee's proposal that a copy of Indians' data be stored domestically would have substantial implications for global tech companies and cloud service providers, which would have to make substantial investments to comply, says Gagandeep Singh, head of the risk advisory practice for Asia Pacific & Japan at Aujas Networks.
Understanding the Nuances
The panel says security professionals need to understand the proposed bill's provisions, including:
- Why data localization is required to help discourage state-sponsored attacks, and the costs involved;
- How the bill would be a distinct departure from the existing data protection and privacy law;
- Why the measure would require data classification and categorization to assess a breach.
For part two of this interview, see: Exclusive Analysis: New Rights in Proposed Data Privacy Bill.
Singh is head of the risk advisory practice for Asia Pacific & Japan at Aujas Networks. Singh was deputed to UIDAI as its CISO from Aujas. He previously worked at Hewlett Packard in technology services, leading network and security solutions business development for telecom, large enterprise and government verticals.
Duggal, a practicing advocate at the Supreme Court of India, is an authority in cyber and ecommerce law who has authored many books, articles, blogs and columns on cyber law and cybersecurity.
Nadkarni, co-founder & CEO of Arrka Consulting has over 22 years of experience in information risk and privacy, e-commerce and networks. She previously headed the global application security and identity management practice at Wipro, establishing India's first licensed certifying authority for digital signatures in collaboration with Sify.
(Principal Correspondent Suparna Goswami contributed to this report.)