India’s Controversial Personal Data Protection Bill, If Passed, Goes Into Effect in 2020

Written by: Anthony E. Stewart, Esq.

India’s draft privacy law, Personal Data Protection Bill, 2018, is an important step as India moves toward a digital economy; however, it is one of the more controversial privacy laws amongst privacy experts.  Critics have accused India Prime Minister Narendra Modi’s Bharatiya Janata Party of creating a “surveillance state” after it passed the Information Technology Act last year, which allowed 10 federal government agencies to intercept and monitor information from any computer.  Those allegations along with certain exemptions contained in the draft bill contribute to criticisms that the draft bill is not sufficiently drafted to truly protect the right to privacy in India.

Key provisions include:

  • Data Protection Officer. All data fiduciaries (the equivalent to ‘data controllers’ under the GDPR) will be required to appoint, and publicly identify, a data protection officer.
  • Data Principal Rights. India’s draft bill will provide data principals (the equivalent to ‘data subjects’ under the GDPR) with the following rights: (1) right to confirmation and access; (2) right to correction; (3) right to data portability; and (4) right to be forgotten; (5) right to data portability.
  • Extraterritorial Application. Similar to the GDPR, India’s draft bill will be far reaching.  The draft bill will apply to domestic and foreign entities if the processing is: (1) carried out in India; (2) conducted by the State, any Indian company, any Indian citizen or any person or body of persons incorporated or created under Indian law; (3) in connection with any business carried on in India, or any systematic activity of offering goods or services to data principals within the territory of India; or (4) in connection with any activity which involves profiling of data principals within the territory of India.
  • Legal Basis for Processing. Under the draft bill, personal data can be processed: (1) on the basis of consent; (2) for functions of the State; (3) in compliance with law or any court order; (4) when necessary for “prompt action;” (5) related to employment; or (6) for “reasonable purposes.”
  • International Transfer of Data. Every data fiduciary will be required to store at least one copy of the personal data it processes on a server or data center located in India.  Any personal data transferred outside the territory of India will only be allowed if it meets one or more of the following conditions: (1) the transfer is made subject to standard contractual clauses or intra-group schemes that have been approved by the Authority; (2) the transfer is to a country or particular international organization that provide an adequate level of data protection (as determined by the Central Government); or (3) the Authority approves a particular transfer or set of transfers as permissible due to a situation of necessity.  If relying on condition (1) or condition (2), the data principal’s consent to transfer his or her personal data must also be obtained.
  • Notification of Personal Data Breaches. Data fiduciaries will be required to notify the Authority of any personal data breach processed by the data fiduciary where such breach is likely to cause harm to any data principal as soon as possible.  The Authority – not the data fiduciary – will determine whether the personal data breach should be reported to the data principal.
  • Privacy Notices – The data fiduciary will be required to provide data principals with the following information in a clear, and concise manner that is easily comprehensible to a reasonable person and in multiple languages where necessary and practicable: (1) purposes for which the personal data is to be processed; (2) categories of personal data being collected; (3) the identity and contact details of the data fiduciary and the contact details of the data protection officer, if applicable; (4) the right of the data principal to withdraw such consent, and the procedure for such withdrawal, if the personal data is intended to be processed on the basis of consent; (5) the basis for such processing, and the consequences of the failure to provide such personal data; (6) the source of such collection, if the personal data is not collected from the data principal; (7) the individuals or entities including other data fiduciaries or data processors, with whom such personal data may be shared, if applicable; (8) information regarding any cross-border transfer of the personal data that the data fiduciary intends to carry out, if applicable; (9) the period for which the personal data will be retained or where such period is not known, the criteria for determining such period; (10) the existence of and procedure for the exercise of data principal rights; (11) the procedure for grievance redressal; (12) the existence of a right to file complaints to the Authority; (13) where applicable, any rating in the form of a data trust score that may be assigned to the data fiduciary; and (14) any other information as may be specified by the Authority.

Failure to comply can result in fines of up to 5 crores (approximately $717,850 USD) or two percent of its total worldwide turnover, whichever is higher.