The regulation on data protection and privacy should adopt a risk-based approach and provide certain relaxations and exceptions for micro, small and medium enterprises (MSMEs) under specific circumstances, suggested a recent ASSOCHAM-PwC joint study.
“In Indian context, it is also important to ask questions on the applicability and impact of any such data protection regulation on small and medium businesses (SMBs),” said the study titled, ‘Privacy in the data economy,’ jointly conducted by The Associated Chambers of Commerce and Industry of India (ASSOCHAM) and global professional services firm PricewaterhouseCoopers (PwC).
The report stated that stringent regulations may deter MSMEs due to the high costs and technology investments necessary for compliance. However, in the new age economy, a number of small enterprises are capturing and processing large volumes of data.
It further said that certain categories of private processing, such as processing carried out by not-for-profit organisations or charitable institutes, may have to be dealt with categorically and provided with certain exemptions.
The ASSOCHAM-PwC joint study suggested that privacy laws should also cater to specific sectors such as healthcare, telecom, banking and finance to address various nuances in each sector.
With a view to establish a robust, transparent and enforceable regulation, the study has outlined following recommendations:
· Borderless Internet – The regulation should not only apply to entities (both public and private) within India that process personal data of Indian citizens and residents but it should also be applicable to all kinds of processing carried out on the personal data of Indian citizens and residents, even though such processing may not be entirely based in India or may be carried out by non-Indian entities that do not have a presence in India.
· Cross-border transfer of data – The regulation should clearly restrict transfers only to countries that offer an adequate level of protection and propose additional measures that need to be ensured for data transfers that do not meet such standards.
· Accountability of data – Both the data processor and data controller should be equally accountable for safeguarding data.
· State interest vs individual’s privacy – The proposed regulation will need walk a tight line between right to privacy and national security considerations in order to strike the right balance and avoid excessive interference in citizens’ personal life without justification. Such considerations, categories and exceptions should be clearly called out to avoid any ambiguity to the extent feasible.
· Localisation of data – The regulation should take a call on data localisation after considering a cost-benefit analysis between the enforcement benefits derived from data localisation and the costs involved pursuant to such requirements. A one size-fits-all model may not be the most fruitful and may cause more harm than benefit to the industry.
· Penalties and compensation – There should be a higher level of penalty for breaches of privacy that organisations wilfully make or that result from negligent security practices. As regards compensation, there should be clarity around the quantum and nature of the same to the extent feasible.