Technology Law Analysis November 12, 2019

Privacy Law Developments in India – Wrapping up 2019

From what was expected to be a prospectively chaotic year in terms of privacy law developments, has turned out to be a rather mellow year thus far. The introduction of the revamped general privacy and data protection law in India continues to loom but there appears to be some time until it is introduced. This update brings to you privacy and data protection related developments in India during the past 11 months, which may be of interest to organizations doing or looking to do business in India.

1.New privacy and data protection law lurking

Indian Parliament is likely to consider the Personal Data Protection Bill, 2018 that is set to revamp the existing framework in India, in the upcoming Winter Session commencing from 18th November. The proposed law was publicly released last year and appears GDPR-inspired on various fronts. The proposed law may have a considerable impact on MNCs operating in India, whether with or without a physical presence, due to its data localization requirements and cross-border data transfer restrictions.

Our paper provides details of the proposed law, how it compares to the GDPR, specific industry implications and tax considerations. Our Technology and Privacy law team had also hosted a webinar to discuss the development and our analysis.

2. Clarifications on data localization in the payments industry

The Reserve Bank of India (apex bank in the country) had in April last year issued a data localization directive, mandating all authorized payment system operators and banks to store payment systems data only in India. This led to various ambiguities in the requirements as well as industry pushback on the strict requirements imposed, especially by global payment companies. Our write ups on this are accessible here and here. The RBI also issued the much awaited clarifications on the said directive. One of the major clarifications being that where processing of a payment transaction happens overseas, then the payment systems data (including end-to-end transaction details) for the said transaction could also be stored abroad, but only for a limited period i.e. for the duration of processing the transaction.

We have analyzed the implications of the clarificatory press release here.

Dedicated committee to look into governance of non-personal data

The Ministry of Electronics and Information Technology (MEITY) had in September released an office memorandum which constitutes a new Committee of Experts, chaired by Shri. Kris Gopalakrishnan (Co-Founder, Infosys). The MEITY had taken cue from the Committee that framed the draft Personal Data Protection Bill, 2018,

  1. study various issues relating to non-personal data; and
  2. make specific suggestions for consideration of the Central Government on non-personal data.

The report and recommendations of the Committee is currently awaited.

Interesting and exciting times lie ahead. As one can see, data is no longer looked at as an intangible commodity but rather as an asset on which further value can be derived. Both consumers, organizations and now the Government see value in data, its usage and security. Also, as sectoral and industry-wide regulation evolves, business models will have to keep up. One must wait and watch whether 2019 has a twist in the tail, but certainly buckle up for 2020.


Aaron Kamath, Huzefa Tavawalla & Gowree Gokhale

You can direct your queries or comments to the authors



Nishith Desai Associates 2013. All rights reserved.