India’s Data Protection Law Takes a Step Forward

Written by: Chase Langhorne, Esq.

In an ever-increasing data driven world, India’s proposed Personal Data Protection Bill (“PDPB”) took a step forward on December 4th when the Indian Prime Minister Narendra Modi approved the bill for tabling in parliament. The PDPB was first proposed in 2018 and is designed to protect the personal data of Indian citizens.

Similar to GDPR

The PDPB is said to be modeled after GDPR and provides for data protection in the collection, storage, and processing of personal data. Similar to EU member states under GDPR, the PDPB also establishes a national data protection authority, the Data Protection Authority of India (“DPAI”), to oversee the enforcement of the law. The PDPB similarly imposes a penalty structure for businesses that do not comply with the law. Namely, businesses can be fined up to 150 million rupees or 4% of global turnover, whichever is higher. Also in line with GDPR is a cross-border transfer limitation.

Data Localization

Unlike GDPR, the PDPB includes a data localization provision that businesses processing the personal data of Indian citizens need to take note of. The PDPB separates personal data into three categories: general, sensitive, and critical. Personal data that falls into the general category can be processed and stored anywhere in the world, with the consent of the individual. Data that falls into the sensitive category may be processed outside India, but must ultimately be stored within India’s borders. Lastly, critical data must be stored and processed in India. This data localization requirement is similar to what is required by Chinese law. This presents an interesting operational hurdle for businesses that do not operate in India, but that process the personal data of Indian citizens. Depending on the type of data your business handles, you may need to arrange for physical systems within India’s borders, whether or not you have a physical presence in India.

Government Access

The PDPB provides for the Indian government to access the personal data your business stores if the government finds it necessary for national security. The operational requirements of this access have not been clarified. To air on the side of caution, businesses need to prepare in the event they are required to give the Indian government access to all systems. For businesses that operate in Costa Rica, this is similar to the “superuser” concept that Costa Rica had in place before their 2016 amendments, which essentially required businesses provide administrator level access to all systems processing personal data.

Next Steps

The bill is slated to be presented to parliament during this legislative session which ends on December 13th. If the bill is approved by parliament, businesses will have up to two years to be compliant with the law.