- AI
- Air Pollution
- Arbitration
- Asia
- Automobile
- Bangladesh
- Banking
- Biodiversity
- Biological Inventions
- bLAWgathon
- Brand Valuation
- Business
- Celebrity Rights
- Company Act
- Company Law
- Competition Law
- Constitutional Law
- Consumer Law
- Consumer Protection Authority
- Copyright
- Copyright Infringement
- Copyright Litigation
- Corporate Law
- Counterfeiting
- Covid
- Design
- Digital Media
- Digital Right Management
- Dispute
- Educational Conferences/ Seminar
- Environment Law Practice
- ESIC Act
- EX-Parte
- Farmer Right
- Fashion Law
- FDI
- FERs
- Foreign filing license
- Foreign Law
- Gaming Industry
- GDPR
- Geographical Indication (GI)
- GIg Economy
- Hi Tech Patent Commercialisation
- Hi Tech Patent Litigation
- IBC
- India
- Indonesia
- Intellectual Property
- Intellectual Property Protection
- IP Commercialization
- IP Licensing
- IP Litigation
- IP Practice in India
- IPAB
- IPAB Decisions
- IT Act
- IVF technique
- Judiciary
- Khadi Industries
- labour Law
- Legal Case
- Legal Issues
- Lex Causae
- Licensing
- Live-in relationships
- Lok Sabha Bill
- Marriage Act
- Maternity Benefit Act
- Media & Entertainment Law
- Mediation Act
- Member of Parliament
- Mergers & Acquisition
- Myanmar
- NCLT
- NEPAL
- News & Updates
- Non-Disclosure Agreement
- Online Gaming
- Patent Act
- Patent Commercialisation
- Patent Fess
- Patent Filing
- patent infringement
- Patent Licensing
- Patent Litigation
- Patent Marketing
- Patent Opposition
- Patent Rule Amendment
- Patents
- Personality rights
- pharma
- Pharma- biotech- Patent Commercialisation
- Pharma/Biotech Patent Litigations
- Pollution
- Posh Act
- Protection of SMEs
- RERA
- Section 3(D)
- Signapore
- Social Media
- Sports Law
- Stamp Duty
- Stock Exchange
- Surrogacy in India
- TAX
- Technology
- Telecom Law
- Telecommunications
- Thailand
- Trademark
- Trademark Infringement
- Trademark Litigation
- Trademark Registration in Foreign
- Traditional Knowledge
- UAE
- Uncategorized
- USPTO
- Vietnam
- WIPO
- Women Empower
INTRODUCTION
Data has become a valuable resource in this fast-paced digital era, driving innovation, economic growth, and societal change. However, there have been privacy concerns worldwide over the collection, processing and storage of personal data by digital platforms mainly social media companies. Governments are now enacting comprehensive data protection laws as a response to these concerns that will protect the privacy rights of individuals and ensure responsible handling practices.
India’s Personal Data Protection Bill (PDPB), 2019 is a notable legislative undertaking on these matters within its jurisdiction. The PDPB seeks to create a robust legal framework that harmonizes the protection of personal data with business interests and technological advancements with reference from General Data Protection Regulation (GDPR) adopted by European Union. It also outlines stringent requirements for consent, data localization, data processing and individual rights with the aim of revolutionizing how India manages personal information.
This blog post delves into the vast implications in respect to social media companies who operate in India henceforth under PDPB especially on their data collection practices as well as implications on users’ privacy and targeted advertisement.
Key Provisions of the PDPB
- Consent and Data Collection (Section 11): PDPB emphasizes that users must obtain consent before collecting and processing their personal data. These terms require that consent be specific, clear and unambiguous and that the user fully understands the data collected and the purpose of its processing. Social media platforms known for their extensive data collection need to review their approval procedures. This change is designed to give users more control over their personal data and ensure they are not at fault for how their data is used.
- Data Localization (Section 33): One of the most important and controversial features of the PDPB is its regional component. According to this law, businesses are required to keep copies of sensitive personal data in India and sensitive personal data must be processed only in India. This requirement is designed to protect national security, protect Indian citizens’ information from foreign surveillance, and ensure that information remains within the jurisdiction of Indian authorities. However, this action incurs significant costs for social media companies, which must invest in local data storage
- Data Processing Regulations (Sections 25-27): PDPB imposes strict rules regarding the processing of information. Social media companies must take security measures and comply with Data Protection Assessment (DPIA) to protect personal information. These measures are designed to identify and reduce risks to personal data and ensure that data processing is secure and transparent. The PDPB is also required to appoint Data Protection Officers (DPOs) who will be responsible for compliance with the law for companies processing large amounts of personal data.
- Rights of Data Principals (Sections 17-20): The PDPB offers six such rights to a data principal (see box below for an explanation of the terms). Each of these rights gives a user power to control their own personal information, and in keeping it out of the hands of those who might use it for purposes the user is not comfortable with. For example, the right to data portability allows a user to transfer their data from one service provider to another; this can be of particular importance in India, where users often do not have an alternative service provider throughout their life. But perhaps the most important right of them all for end-users is the right to be forgotten: this right allows a user to force the data holder to erase any personal data that is no longer required for the purposes it was collected in the first place.
- Establishment of Data Protection Authority (DPA) (Sections 41-54): One key element of the PDPB requires that there is a Data Protection Authority (DPA) established in each state to supervise compliance with the law, investigate grievances, and help to govern aspects of the new legal regime. The DPA represents the judicial branch necessary to safeguard data subjects from malicious, negligent or exploitative data collection and practices, as well as an official oversight body on which social media companies can pin accountability for safeguarding their data practices. The DPA will have the power to impose steep fines in cases where companies fail to comply with safeguarding regulations.
IMPLICATIONS FOR SOCIAL MEDIA COMPANIES
- Enhanced Compliance Requirements
The PDPB’s stringent rules around user consent and data processing will require Indian social media companies to drastically alter their operations. Each platform will likely have to implement a thorough compliance framework consisting of elaborate consent regimes, secure data processing protocols and audit clauses to ensure continuous regulatory compliance. Implementing this exercise, which is bound to be expensive and time-consuming, is unlikely to be easy, especially for smaller platforms that lack the means to invest in scalable compliance infrastructure. At the same time, this is precisely what the law demands to ensure user privacy and the responsible handling of personal data.
- Data Localization and Increased Costs
The data localization requirement will compel social media companies to establish local data storage infrastructure, which involves substantial financial investments. For global platforms, this means building or leasing data centers within India, which can be both logistically complex and expensive. Compliance with these requirements is essential to safeguard national security and ensure that personal data remains within the jurisdictional reach of Indian authorities. However, the increased costs associated with data localization may impact the profitability and operational efficiency of social media companies. Smaller platforms, in particular, may struggle to meet these requirements, potentially leading to market consolidation as larger companies with greater resources dominate the market.
IMPACT ON TARGETED ADVERTISING
The PDPB will have a huge impact on targeted advertising; which is one of the major sources of revenue for social media platforms. The availability of personal data for targeted advertising will be reduced due to stricter consent requirements and enhanced rights of users. Users, thus, have more control over their information by selecting whether or not to provide it and whom with they share such details. Consequently, advertisers will need to find other less invasive methods of reaching consumers and rely more on aggregate and anonymous data rather than individual profiles. In addition, this might reduce targeting precision but improve user privacy as well as protect against misuse of personal data.
User Privacy and Trust
From the user perspective, PDPB increases privacy and trust. The policy aims to empower users by giving people control over their personal data and making them more transparent about the processing of data. This type of authorization could support more privacy users as people become more aware of their rights and have more choices about the information they share. This can also increase trust between users and social media platforms, increasing customer trust and engagement. As users gain confidence in the security of their personal information, they may be more willing to use digital services, thereby stimulating growth and innovation in the business sector.
CASE LAW AND PRECEDENTS
The implementation of the PDPB will be affected by many important decisions in India and internationally. Supreme Court of India in Justice K.S. Puttaswamy (Retd.) v. Union of India (2017)[5],. This landmark decision laid the foundation for the PDPB, highlighting the need for strong data protection. The court stated that the right to privacy of private life is inherent in the right to life and personal freedom, and emphasized the necessity of the law to protect personal information.
GDPR sets important standards around the world and provides common sense for the use of PDPB. Google Spain SL, Google Inc. v Agencia Española de Protección de Datos, Mario Costeja González (2014) [6] established the “right to be forgotten”, which allows individuals to request the removal of their personal data from search engines in certain cases. This document highlights the importance of user control over personal data and the need for legal procedures to enforce data protection rights. In addition, the heavy penalties imposed by the GDPR for non-compliance (such as the fines imposed on Google and British Airways) highlight the importance of maintaining processes in compliance with data protection laws.
FUTURE DIRECTIONS AND CHALLENGES
Despite its potential benefits, the PDPB poses several challenges, particularly in balancing data protection with innovation. Regulators must engage in continuous dialogue with industry stakeholders to ensure that the law evolves to protect privacy without stifling technological advancement. Collaborative efforts between the government, social media companies, and civil society will be crucial in shaping a balanced and effective data protection framework.
- Regulatory Challenges
One of the main challenges in implementing the Personal Data Protection Bill (PDPB) will be to ensure consistent and effective enforcement. The Data Protection Authority (DPA) will play a crucial role in this aspect, but it will need sufficient resources and authority to effectively fulfil its mandate. It is essential to ensure that the DPA is independent and free from political influence to maintain public trust in the regulatory framework. Additionally, the DPA will need to establish clear guidelines and standards for compliance, providing social media companies with the necessary tools to adhere to the law.
- Technological Innovation
Data protection and technology are very difficult to measure. The digital economy relies heavily on free information, and strict regulations can stifle innovation and hinder business growth. Regulators need to strike a balance between protecting user privacy and allowing the creation of new technologies and business models. This requires a detailed understanding of the digital environment and a willingness to change management processes as new challenges and opportunities arise.
- Global Implications
PDPB’s influence is not limited to India; It will also have a huge impact around the world. As one of the world’s largest digital economies, India’s data protection system will influence global data management policies and standards. International companies operating in India should update their practices to comply with the PDPB, and the law can serve as a model for other countries looking to create their own data protection laws. This could lead to greater harmonization of international data protection standards, thereby improving global data security and privacy.
- Economic Impact
The PDPB will have a significant economic impact, especially on social media companies that heavily rely on data-driven business models. Compliance and data localization requirements may increase costs, leading to higher prices for digital services and potentially affecting consumers. However, the improved privacy protections and increased user trust could also spur growth and innovation in the digital economy. By promoting a more secure and privacy-conscious digital environment, the PDPB could encourage greater user engagement and investment in new technologies.
User Education and Awareness
A critical component of the PDPB’s success will be user education and awareness. Users must be informed about their rights under the law and how to exercise them. Social media companies will need to invest in educational campaigns to ensure that users understand the importance of data privacy and the measures in place to protect their personal information. By empowering users with knowledge, the PDPB can foster a culture of privacy and security in the digital ecosystem.
CONCLUSION
India’s Personal Data Protection Bill represents a significant stride towards enhanced data protection and user privacy. While it imposes substantial challenges for social media companies, particularly in terms of compliance and targeted advertising, it also offers an opportunity to build a more transparent and trust-based digital ecosystem. The PDPB’s stringent requirements on consent, data localization, and data processing are designed to protect user privacy and ensure that personal data is handled responsibly. However, the success of the PDPB will depend on effective enforcement, continuous engagement with industry stakeholders, and user education.
As the PDPB comes into force, its real-world impact will become clearer, shaping the future of data privacy and digital interactions in India. The law’s influence will extend beyond India’s borders, contributing to the global discourse on data protection and privacy. By balancing the need for robust data protection with the imperative for technological innovation, the PDPB has the potential to create a secure and dynamic digital economy that benefits both users and businesses.
Author: Debasish Hazarika, in case of any queries please contact/write back to us via email to chhavi@khuranaandkhurana.com or at Khurana & Khurana, Advocates and IP Attorney.
REFERENCES
[1] Government of India, The Personal Data Protection Bill, 2019, No. 373, Act of Parliament, 2019.
[2] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, O.J. (L 119) 1 (EU),
[3] Deloitte, Implications of the Personal Data Protection Bill, 2019 for Businesses, https://www2.deloitte.com/in/en/pages/risk/articles/implications-of-the-personal-data-protection-bill.html (last visited May 31, 2024).
[4] India’s Data Localisation: How It Will Impact Companies, The Economic Times (Nov. 28, 2018), https://economictimes.indiatimes.com/tech/internet/indias-data-localisation-how-it-will-impact-companies/articleshow/66837091.cms.
[5] Justice K.S. Puttaswamy (Retd.) v. Union of India, (2017) 10 S.C.C. 1.
[6] Google Spain SL v. Agencia Española de Protección de Datos, Case C-131/12, ECLI:EU:C:2014:317 (May 13, 2014).
[7] Information Commissioner’s Office, British Airways Fine Under GDPR, https://ico.org.uk/action-weve-taken/enforcement/british-airways/ (last visited May 31, 2024).
[8] Commission Nationale de l’Informatique et des Libertés (CNIL), Google Fine Under GDPR, https://www.cnil.fr/en/cnils-restricted-committee-imposes-financial-penalty-50-million-euros-against-google-llc (last visited May 31, 2024).