2020 witnessed a 23% increase in the number of internet users in India and a 141% increase in the number of data breaches compared to 2019. Recognizing the importance of data protection, the Ministry of Electronics and Information Technology (MeitY), Government of India introduced the Personal Data Protection Bill (PDP) in the parliament in December 2019. The bill lays down regulations for the protection of the personal data of individuals and presents a framework to establish Data Protection Authority (DPA). It is broadly based on the principles of General Data Protection Regulation (GDPR) and the judgment by the Supreme Court wherein the right to privacy was upheld as a fundamental right under the Indian Constitution.
The bill delineates the obligations of data fiduciaries and the rights of data principals. It seeks to regulate the processing of personal data by the government, companies incorporated in India and other foreign companies handling the personal data of individuals in India. Personal data can be processed only for specific purposes after obtaining the consent of the data owner and offers certain exemptions to all its provisions. It also imposes hefty financial penalties in case of non-compliance. All individuals sharing information and all firms involved in dealing with the collection/processing of data like financial services firms, social media intermediaries, health service providers, and insurance providers, are impacted by the bill.
A Joint Parliamentary Committee (JPC) was formed on December 12, 2019, to review the proposed Data Protection Bill that was expected to provide its report in February 2020 but has obtained an extension till May 2021. Some reports have confirmed that the PDP Bill will be significantly redrawn by the JPC but it is yet to be confirmed.
Impact on Health Insurance Business
Given the immensity of data generated and processed every day, the provisions of the Bill are a step in the right direction. However, the exemptions offered by the bill, especially to theState are concerning.
- The bill establishes a distinction between the State and other private entities providing a similar service. In certain cases, the bill exempts the state from obtaining the consent of the individual for processing personal data and this exemption is extended to all services offered by the state, including commercial services. This is an area of concern for private health insurance providers, which would need to obtain consent of the customers for processing their data while our competitors in the public sector are not obligated to do so. This provision would lead to market inefficiencies and would provide unrestricted power to the state. The Bill need to re-evaluate this approach and obtain consultations from industry experts.
- Furthermore, the data fiduciaries are required to inform the DPA of data breaches only if the breach is expected to cause any harm to the data owner. Harm is defined to include financial loss, loss of reputation or withdrawal of a service. Selective disclosure of such breaches based on entities’ discretion will not be efficient as the fiduciaries would have an incentive to downplay the impact of data breaches to protect market reputation. Clients would naturally seek an insurer that has fewer instances of data breaches and in this case, optional reporting by insurance providers would deprive them of important information. Ideally, all data breaches should at least be reported on the organization website, if not directly to the DPA to prevent overburdening the DPA resources. This should be a factor in assigning the data trust scores The law could also be updated to include a detailed mandatorily enforceable step by step guideline on how the breaches are to be assessed, processes and reported.
- The Bill further categorizes personal data into sensitive and non-sensitive personal data. Health and financial data, that we deal with are categorized as sensitive personal data. The Bill places additional data localization requirements on this type of personal data requiring that the data can be transferred abroad but a copy should be stored in India. This would prevent insurers from using foreign infrastructure such as cloud computing for storing data, thus, leading to a significant increase in storage costs. Further, the task of classifying data as sensitive or non-sensitive would also add to compliance costs. The firm needs to invest in teams to assess the expected increase in financial burden and build appropriate infrastructure to meet this provision.
- The Bill also requires all data fiduciaries to prepare and implement a Privacy by Design Policy that will have to be approved by the DPA and published on the website. There are also provisions for annual data audits where an auditor will give annual data trust scores to the organizations. Firms now need to proactively work on developing codes and processes to meet these statutory requirements, which would lead to a further increase in compliance costs.
While the introduction of this bill is in the right direction, certain provisions are a cause for concern as they seek to provide blanket powers to the state. Additionally, provisions for data localization, cross-border data transfer restrictions and compliances are expected to add a significant financial burden on insurers. There are expected to be considerable delays in Bill’s enactment given the extensions requested by JPC and reports of change in its scope. Nevertheless, insurers need to take charge and work towards adapting to an environment where such regulations and requirements are inevitable.