India's Data Protection Bill faces two challenges upfront, which need to be resolved as it has the potential to threaten cybersecurity globally.
Industry experts feel the Indian Data Protection bill 2019, which aims to help consumers exercise their privacy rights needs a proper structural framework else the personal data of millions of users in the country will be at stake.
The main challenge lies in the classification of data as the bill categorizes data as Personal Data, Sensitive Personal Data, and Critical Personal data. The lack of clarity on to which data qualifies under which head causes dubiety to the industry. The problem can get aggravated when data collection and processing are done by different agencies, in which case, each fiduciary will have to take consent at every step of the operation. This process palpably increases the time and slows down all the services.
According to the bill, when national security is involved, the government can ask companies, including Facebook, Google, and others, for anonymized personal data and non-personal data. This act will result in giving the government unaccounted access to the personal data of users in the country.
The experts can demand clarification in several areas of ambiguity, which needs to be better clarified for businesses to fully comprehend the extent of adjustments companies will have to do to comply with the bill.
Do you know what data re-identification is?
Companies process customer data using unique algorithms to decouple sensitive information like location traces and medical records from identifying details like email addresses and passport numbers. This process is called de-identification.
Organizations can recover the link between the user's identities and their data when needed. Such controlled re-identification by companies happens routinely for analyzes purpose. On the other hand, if a malicious attacker re-identifies the data, the cybercriminals would gain a precious pool of data.
Under India's Data Protection Bill, it intends to ban re-identification without consent and subject it to financial penalties. The outright ban on re-identification increases the risk of data breaches as explaining the companies' secretive data protection techniques and the purpose of data collection to the user is a cumbersome process.
The law should enable researchers to report vulnerabilities they detect. The common goal should be to fix security problems quickly and efficiently rather than obtaining hefty fines from the companies.