Consumer data privacy rights advance in China, stall in India
The dominant mainland Asia economic powers, China and India, are tackling consumer privacy with proposed overarching legislation, but at the moment only China seems poised to deliver soon, according to a privacy industry group.
China’s proposed Personal Information Protection Law is being debated by a key legislative body, and has been posted for public comment. Meanwhile, India is still mired in compiling a report on a possible law.
A pair of industry insiders told members of the International Association of Privacy Professionals that the legislation could win final approve in a matter of weeks.
Barbara Li, head of corporate for Hong Kong-based law firm Rui Bai, and Malavika Raghavan, a senior fellow at the Future of Privacy Forum think tank spoke during the association’s annual global summit.
The Chinese bill was proposed in October, Li said. Getting so close to a final vote this soon is unusual, and is an indication that Beijing is trying to build consumer trust in biometrics and other privacy measures.
That is, trust in the digital economy, which the authoritarian government has chosen for rapid development.
Government use of digital surveillance is a “take it or take it” proposition. There is no significant government consideration about how citizens feel about the blanket biometric surveillance throughout the nation.
Among the provisions of the proposal, said Li, is a requirement that critical information infrastructure operators will have to pass a government security assessment.
Fines for failing to protect consumer data would run as high as five percent of a business’ annual profit, she said.
Li added that the law would allow for a comparatively generous private right of action.
India is slowly moving on its Personal Data Protection Bill, which was proposed in 2017, Li said. There was an expectation that the legislation might already be signed into law by now.
More than 80 amendments have been attached to the bill at one time or another. And legislators have yet to define such basic concepts as critical personal data.
Raghavan noted there are been two delays in finishing a final committee report on the bill. It could be agreed upon this summer, he said, and enacted by the end of the year. The government would be able to reject access to data by countries.
It is interesting to note that the Indian law goes in the opposite direction of China’s proposal on a right to action. As it stands today, that right has been erased from the Indian bill.
The Indian private sector is lobbing privacy ideas at the lawmaking process.
Kriti Mittal and Varad Pande, both of whom work for early-stage funder Omidyar Network India, are pushing a federated architecture model for personal data. Mittal is entrepreneur in residence and Pande is a partner of the philanthropic firm.
Data in such a scenario is stored in multiple databases with a secure data exchange protocol to avoid building one big data store that draws thieves.
And the onus for privacy must fall on service providers, not consumers, who do not have the experience or time to analyze contracts supposedly protecting their data, Pande said.