New Data Protection Law Proposed in India! Flavors of GDPR
The much-awaited Personal Data Protection Bill, 2018 (“Draft Bill”) was released by the Committee of Experts entrusted with creating a Data Protection Framework for India (“Committee”) on Friday evening.
The Committee, chaired by retired Supreme Court judge, Justice Srikrishna, was constituted in August 2017 by the Ministry of Electronics & Information Technology, Government of India (“MeitY”) to come up with a draft of a data protection law. After over a year of deliberations and a series of a public consultations followed by release of a white paper with preliminary views, the Committee has released a Draft Bill. The Draft Bill is accompanied by its report titled “A Free and Fair Digital Economy Protecting Privacy, Empowering Indians” (“Report”) which provides context to the deliberations of the Committee.
MeitY as the nodal ministry may accept, reject or alter such Draft Bill. Thereafter, the Draft Bill would need to be approved by the Union Cabinet before it is introduced in the Parliament for deliberations.
Some of the key highlights of the Draft Bill are:
To summarize, whilst we believe that the Draft Bill does have its share of positives, in several places the Draft Bill is either ambiguous / not clear or imposes excessive obligations on Data Fiduciaries and prescribes disproportionate punishments. Several factors are left to be determined through Codes of Practices or to be determined by the Government at a later stage. Therefore, at this stage the full impact of the proposed law cannot be comprehended in entirety.
In several respects, we note the Draft Bill appears to have borrowed heavily from the recently notified E.U. General Data Protection Regulation (“GDPR”). Given the infancy at which the GDPR is at this stage, it would be imperative that law makers provide for enough flexibility for the law to be altered on the basis of global experiences. Further, we find that even the current basic law under the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“2011 Rules”) has yet not been implemented fully even after 7 years. Therefore, implementation will be key to this fairly detailed and somewhat cumbersome law.
We hope that the law is made more balanced by diluting some of the draconian provisions as well as by issuing clarifications on the points that are not clear, after public consultation. Therefore, ideally, once the MeitY finalizes the draft, it should place such law in the public domain and provide stakeholders an opportunity to provide further inputs, before the law is placed before parliament.
We have set out in our detailed analysis below the possible implications that it may have on businesses, including offshore companies doing business in India. As we continue to read, debate and delve deeper into the wording of the law, our views on several of these issues may evolve.
To summarize, while the Draft Bill does have its share of positives, in several places the Draft Bill is either ambiguous / not clear or imposes excessive obligations on Data Fiduciaries and prescribes disproportionate punishments. It also seems to have certain unintended consequences for start ups/non digital businesses in terms of imposing exposing them to excessive compliances.
Our detailed analysis of the Draft Bill is available here.