India’s Personal Data Protection Bill: What We Know so Far
On 27 July 2018, the Srikrishna Committee published a draft bill for a new, comprehensive data protection law, the Personal Data Protection Bill 2018 (PDPB) in response to a mandate the Indian government received from the Indian Supreme Court the previous year following its ruling that recognized privacy as a fundamental right. While the bill has not yet been passed it, Telecom and IT minister Ravi Shankar Prasad has made it a priority to take the data protection bill to Parliament during his current term.
Heavily influenced by the EU’s General Data Protection Regulation, the new bill would grant Indian data subjects extensive data protection rights while imposing limitations on the collection and processing of personal and sensitive data. The Bill came under fire from the international tech community because of the data localisation policy included in it that would require any company processing the personal data of Indian data subjects to store a copy of that data on Indian territory.
While the draft bill may suffer some amendments before it will be submitted to Parliament, which in turn may request further changes, it will serve as the basis for the final bill.
What is personal information?
The draft bill makes reference to three categories of data: personal data that refers to any data about or relating to a natural person (named data principal in the bill); sensitive personal data which includes health and genetic data, biometrics, caste or tribe data, passwords etc. and critical personal data which remains undefined but can be notified by the central government. The processing of data relating to children is also restricted while irreversibly anonymized data is exempt from the law.
Who will it apply to?
The bill would apply to government as well as private entities whether they are data collectors (named data fiduciaries in the bill) or data processors that collect, store, disclose, share or otherwise use personal data connected to any business carried out in India or as a result of systematic offering of goods and services to data principals in India, or profiling of data principals within India.
This means that the bill would have an extraterritorial reach and any company processing the personal data of Indian data principals would have to comply with the new law.
The bill also specifies that the Data Protection Authority enforcing it can classify certain types of data fiduciaries as significant or high risk data controllers. These would be organisations that process sensitive data or large volumes of personal data or have a high turnover rate which would pose a risk of harm to data subjects. Additional requirements would apply to these significant data controllers: they would need to appoint a Data Protection Officer, conduct data protection impact assessments, data audits and comply with record keeping requirements.
New Rights for Indian Data Principals
Taking a leaf from the GDPR’s book, the bill grants Indian data principals the right to confirm, access and correct their data as well as the right to be forgotten and to data portability. However, there are a few marked differences in the enforcement of these rights. In order for an Indian data principal to have his data forgotten for example, he would first have to submit a request to an adjudicating authority under the bill which would need to take several factors into consideration before granting it.
Cross-border Data Transfers
Transfers of Indian data principals’ personal data to third countries would follow rules similar to those laid out in the GDPR. The bill introduces European Commission-style adequacy decisions which the Indian government would grant to countries it believes have an adequate level of data protection, similar to that existent in India.
Cross border data transfers would also be permissible if standard contractual clauses, as defined by the Data Protection Authority, would be applied. The bill under its current form does not clarify whether additional data principal consent would be required in either of these two cases.
The Data Localisation Policy
The most controversial requirement of the draft bill is a data localisation policy which demands that a copy of all personal data falling under the incidence of the bill be stored in India by the data controller. Additional copies can be stored outside of India, but the government can choose to make it mandatory to store certain categories of data only in India.
The bill was a hot topic during the Indo-US bilateral talks earlier this year: the PDPB along with another draft bill on e-commerce were criticised by US secretary of commerce Wilbur Ross as containing proposals that were discriminatory and trade distortive. He further expressed his doubts that India possesses the infrastructure to be able to save its companies’ data. In response, the Indian government expressed its sovereign right over the data produced within the country.
A group of associations that included the US Chamber of Commerce, the US-India Business Council (USIBC), the Japan Electronics and Information Technology Industries Association (JEITA) and DIGITAL EUROPE also expressed their belief that the data localisation policy would deter global tech companies from continuing their business in India as storing data locally would raise company costs by 30-60% while not guaranteeing data security.
Data breach notifications
The bill includes mandatory data breach notifications for all data controllers. The Data Protection Authority would have to be informed of any breaches that are likely to harm data principals. While the bill does not specify a deadline for the notification, the Data Protection Authority can clarify this point and set a time limit within which a data breach notification must be made.
It is also up to the Data Protection Authority to decide whether data subjects must be notified of the breach, what remediation actions should be taken and whether details concerning the data breach would be published on its website.
The bad news for companies is that the bill’s penalties are also inspired by its European cousin, the GDPR. Organisations failing to notify data breaches or to meet their obligations as a significant data controller would be fined up to approximately USD 730,000 or 2% of a company’s global turnover.
Unlawful cross-border data transfers, failure to provide notices to data principals along with a legitimate basis for processing or processing the data of children in contravention of the bill would lead to even more serious fines: up to approximately USD 2.7 million or 4% of a company’s global turnover.
The penalties are not only financial: the sale of personal data that results in the significant harm of a data principal or the re-identification of anonymized data would result in criminal penalties.