NOTE: On August 3, 2022, the Joint Parliamentary Committee (JPC) withdrew the Personal Data Protection Bill in light of a new comprehensive legal framework that the JPC is working on. Minister of Railways, Communications and Electronics and Information Technology in Government Ashwini Vaishnaw released a written statement that mentioned Parliament will be drafting a new bill that fits into the comprehensive legal framework, as the current bill had over 80 proposed amendments.
The bill was not without criticism, drawing ire from privacy advocacy groups for giving too much power to corporations, as well as tech giants Meta, Amazon, and Google having concerns over newer recommendations to the bill surrounding personal data.
What is the New Indian Personal Data Protection Bill?
On July 27, 2018, the Indian government released the draft Personal Data Protection Bill, 2018. The draft was produced by the Srikrishna Committee, a high-level group led by former SC judge and tasked with modernizing India’s data-privacy standards. The Bill is inspired by the current privacy laws worldwide and hopes to adopt a middle ground in terms of its legislative strictness: falling between the American hands-off approach and Europe’s strict GDPR.
Here are some of the key elements of the proposed Bill:
Who & What is Covered
Personal data is defined by the draft law as any data that relates to a natural person and that identifies such person (directly or indirectly), either in itself or through its combination with any other information. There is also a specific regime introduced for sensitive personal data, that should include i.e. passwords, financial data, biometric and medical data.
The Bill should cover both public and private entities’ (including the government itself) processing of personal data:
(i) of Indian residents, or
(ii) taking place in India, or
(iii) being conducted within their business activities (or other activities potentially harmful to individuals’ privacy) in India, or
(iv) if the entities are incorporated under Indian law (irrespective of whether the data is actually processed in India).
Privacy Rights and Principles
The proposed Bill seeks to align its privacy requirements and principles with those included in the European Union’s GDPR. It expressly relies on Privacy by Design, Transparency and Accountability principles in the data processing activities.
With regards to the individuals (‘data principals’), 4 basic rights are envisioned for them by the legislation: right to confirmation of data-processing and of access to processed personal data; right to correct inaccurate, outdated or incomplete personal data; right to data portability enabling the individual to receive their processed personal data in a structured, commonly used and machine-readable format (reminiscent of similar GDPR-introduced right), and the right to be forgotten allowing the individuals to restrict or prevent data-processing under certain conditions.
Under the future law, organizations will be able to rely on individual’s consent as one of the legal bases for personal data processing. Other bases include employment-related purposes, necessity of a prompt action (similar to GDPR’s protection of vital interests) or ‘reasonable purposes’ that roughly correspond to GDPR’s legitimate interest legal basis. Interestingly, the performance of a contract did not make it into the Bill as an independent processing basis.
Obligations for Organizations
Hand in hand with new individuals’ right and privacy principles comes a new broad set of obligations to organizations conducting the processing of personal data under the new legislation (‘data fiduciaries‘). Some of the proposed obligations are already familiar from other data privacy legislation around the world (EU’s GDPR or Brazil’s LGPD). These include the obligations to maintain records of personal data processing, personal data breach notification, or conducting Data Privacy Impact Assessments for processing that carries a risk of significant harm to individuals.
There are however also notable novelties included in the Bill as well, such as a required performance of annual data audits or Data Protection Authority’s envisaged identification of ‘significant data fiduciaries’ with required registration obligations. Also, the rumored storage limitation obligation made its way into the draft law: it requires companies to ensure storage of at least one serving copy of individuals’ personal data on a server or data center located in India. Furthermore, the government plans to notify certain categories of personal data (‘critical personal data‘) that should ONLY be processed within India (these will likely include sensitive personal data categories).
Overall, the Indian draft privacy Bill introduces an interesting mixture of data privacy rights and obligations already familiar (mainly from the GDPR) and comes forth with new, unique requirements. As the Bill still must pass the Indian parliamentary process to be enacted, it will be interesting to see its further evolution. Once enacted, it is foreseen to come into force after a period of 30 months – allowing the businesses to adjust to the radical changes to personal data processing, that it proposes.
With new data protection regulation proposals popping up across the world (see: Brazil, California), it’s clear that the GDPR enforcement date was just the tipping point for what’s expected to be a worldwide focus on privacy.
OneTrust is built to help companies comply with these various and diverse global privacy laws: to get a free trial visit https://www.onetrust.com/free-trial/