India recently introduced the Personal Data Protection Bill 2018 (“Bill”). The transfer of personal data in India is currently governed by the SPD Rules (Sensitive Personal Data and Information, 2011), which is however considered outdated and not fully protective of personal data. The Bill comes as a result of the country’s Supreme Court recent judgment that declared privacy a fundamental right of an individual. The Srikrishma Committee (“Committee”) was responsible for drafting the Bill and coined a legal framework that is aimed to shape the country’s digital agenda.
The Committee took into consideration the US sectoral approach, the EU omnibus approach and China’s approach on averting national security risks. In combining best practices across these territories, the Committee tried to create a law that is both contemporary and aligned with recent legal developments.
Requirements for Companies
The Bill contains 112 sections that run through 15 Chapters and follows a structure that is quite familiar because of the GDPR, the EU wide data protection legislation that entered into force in May this year.
Definitions, Scope Of Application And Data Protection Obligations
The Committee uses the term “data principals” to describe the individuals (the equivalent of the EU “data subject”) and “data fiduciaries” to describe the organizations (the equivalent of the EU “data controller”). It widens the definition of personal data to include any data that allows an individual to be directly or indirectly identified. The Bill also includes several categories as sensitive data, including financial data that reveal financial status and credit history.
The Bill will apply to every organization, and the government, that processes personal data in India, as well as any processing by the State, Indian companies or Indian citizens. It will also apply to entities that are not based in India but that offer goods or services in India, or in case they profile individuals in India.
The Bill introduces a number of data protection obligations that are very similar to the ones found in the GDPR, namely fair and reasonable processing, purpose limitation, collection limitation, lawful processing, notice, data quality, data storage limitation, and accountability. These are high-level obligations that provide guidance to a company that processes personal data.
Processing Grounds, Transparency, And Privacy By Design
The Bill names consent as the primary ground for data processing, however such consent needs to be free, informed, explicit, and unambiguous. It may therefore not always be easy for an organization to prove that they have acquired valid consent. Other grounds for processing include State functions, compliance with a legal obligation, required for an emergency, processing connected to employment purposes, and processing for reasonable purposes. The last purpose is rather vague and it is expected that the Indian DPA will provide further guidance on the range of purposes that may be considered reasonable.
The Bill introduces several transparency obligations, including a record of data processing, and an obligation to run data protection impact assessments. Organizations need to undertake an annual data audit and assign this to independent data auditors. Further, organizations involved in high-risk processing are considered “significant data fiduciaries” and will need to appoint a data protection officer (“DPO”). Organizations not present in India who are under the scope of the Bill will need to appoint a DPO who is based in India.
Data Principals’ Rights
The Bill recognizes similar rights to the ones found in the GDPR. In particular, the Bill grants to data principals the right to access, correction, data portability and the right to be forgotten. However, the right to be forgotten is not a right to erasure as granted under the GDPR, but more restrictive in nature since it only aims to prevent or restrict disclosure of personal data by a fiduciary, and not complete erasure. Also, the rights to object to automated decision making and profiling are not explicitly provided, however the user can withdraw their consent at any time.
Data Protection Authority And Its Powers
The Bill will also establish a data protection authority, DPAI, consisting of a chairperson and six board members that are appointed by the Central Government. The DPAI will be equipped with a number of functions that are similar to the one that European Supervisory Authorities have. For instance they will be responsible to identify timelines to respond to data principals requests, regulate data breach notifications and general enforcement of the Bill.
Data Localization Requirements
The Bill adopts a restrictive approach to cross border data transfers since it requires organizations to store at least one copy of personal data on servers or data centers located in India (Chapter VIII, Transfer of Personal Data Outside India). The Bill also tasks the central government with the responsibility to identify the categories of data that are considered critical personal data. Such critical data are only to be processed in a server or data center that is located in India, which is similar to China’s data localization restrictions.
These data localization rules may be difficult to enforce and will certainly increase the cost of compliance. Foreign firms which have millions of users in India but store their data at remote locations will be particularly affected by this measure, if enacted. At the same time this requirement may prevent smaller players from entering the market. In fact, Telangana was the first Indian state that raised concerns over data localization rules, fearing that implementation of such clauses may isolate Indian startups and hurt investments in the country.
The Bill comes with a penalty of INR 5000 per day of violation amounting up to a maximum of INR 1 million. For violations of the Bill, and depending on the severity of said violations, the DPAI can award fines ranging from 2-4% of the company’s global revenue or INR 50-150 million (roughly 700,000-2,000,000 million USD), whichever is higher. These sanctions percentile ranges are identical to the ones that the GDPR introduced earlier in the year.
The Bill also introduces some criminal offences which are non-bailable and can go up to 5 years depending on the violation in question.
The Ministry of Electronics & Information Technology is currently collecting feedback on the Bill and has extended the relevant deadline until 30 September. It is expected that the Ministry will soon thereafter finalize the Bill. If enacted, organizations will have 12 months to ensure compliance with the Bill. This appears to be a tight timeline since some criteria are particularly strict (e.g. data localization).