Indian Data Protection Bill Nearing Passage

Written by: Brock Wolf, Esq.

Last month, India’s Joint Parliamentary Committee submitted its report on India’s draft Data Protection Bill (the “Bill”) to Parliament. The report, which comes after two (2) years of deliberations, contains the Joint Parliamentary Committee’s recommendations and a revised draft of the Bill.

In 2017, the Supreme Court of India declared the right to privacy a fundamental right under the Indian Constitution. This ruling laid the foundation for the nation’s government to create a data protection regime, and in July 2018, an initial draft of the legislation was introduced.

Years later, the Bill is expected to pass. It will be considered the Indian Parliament’s next session, beginning in February 2022.

The latest draft of the Data Protection Bill provides for a phased implementation of the data privacy regime, starting with the appointment of a Data Protection Authority (“DPA”). Full implementation of the law would occur over the course of a twenty-four (24) month period.

We outline key areas of the Bill below:

1. Notification

The current draft of the Bill calls for notification to the DPA within seventy-two (72) hours of the discovery of a breach. Upon notification, the DPA is given the authority to determine whether data subjects would need to be notified. Under the Bill, notification to the DPA is mandatory for every breach affecting Indian data subjects.

2. Consent

Consent is another key requirement under the Bill. Consent to data processing is required in almost all scenarios. However, data may be processed without consent if processing is necessary for “reasonable purposes.” It is expected that during the implementation phase, the DPA will provide guidance on what constitutes a “reasonable purpose.”

3. Data Localization

The Bill also includes localization requirements for processing and transferring data. Specifically, “critical personal data” must be processed locally in India. The Bill gives broad discretion to the government to define “critical personal data.”

“Sensitive personal data,” which includes biometric data and financial information, may be transferred out of India if a copy of the data is stored in a local Indian server.