New Data Protection Law Proposed in India! Flavors of GDPR
The much-awaited Personal Data Protection Bill, 2018 (“Draft Bill”) was released by the Committee of Experts entrusted with creating a Data Protection Framework for India (“Committee”) on Friday evening.
The Committee, chaired by retired Supreme Court judge, Justice Srikrishna, was constituted in August 2017 by the Ministry of Electronics & Information Technology, Government of India (“MeitY”) to come up with a draft of a data protection law. After over a year of deliberations and a series of a public consultations followed by release of a white paper with preliminary views, the Committee has released a Draft Bill. The Draft Bill is accompanied by its report titled “A Free and Fair Digital Economy Protecting Privacy, Empowering Indians” (“Report”) which provides context to the deliberations of the Committee.
MeitY as the nodal ministry may accept, reject or alter such Draft Bill. Thereafter, the Draft Bill would need to be approved by the Union Cabinet before it is introduced in the Parliament for deliberations.
Some of the key highlights of the Draft Bill are:
Extra-territorial application i.e. the Draft Bill is to apply to foreign data processors in so far as they have a business connection to India or carry on activities involving profiling of individuals in India.
Differential obligations imposed based on criticality of data, i.e. differing obligations for Personal Data and Sensitive Personal Data;
Obligations of the Data Controller (i.e. Data Fiduciary) : Notice (that is clear, concise and comprehensible), Purpose Limitation and Collection Limitation, maintaining data quality, storage limitation;
Grounds for processing in addition to consent include use for employment purposes as well as emergencies.
Intended to be made applicable to the State as well as private parties.
Child Rights: Child is defined as someone who is less than 18 years of age. Profiling, tracking or behavioral monitoring of or targeted advertising towards children is not permitted.
Rights of the Data Subject: Include Data Portability, Right to be forgotten as well as the right to correction of the data etc.
Concept of Privacy by design and a data breach notification have also been introduced;
High Risk Data Processors – A mandatory registration requirement has been imposed on data processors who conduct high risk processing. Such processors are required to implement: Trust Scores, Data Audits as well as a Data Protection Impact Assessment
Data Localisation: A copy of all Personal Data must be stored in India; additionally the Government may notify certain types of personal data that should be mandatorily be processed only in India. The Government has retained with itself the power to exempt storage of copies of Sensitive Personal Data, in some cases.
Cross Border Data Flows: In addition to consent cross border transfers would also require the use of (a) model clauses; and (b) possible adequacy requirements, i.e. transfer to jurisdictions approved by the Government;
The Data Protection Authority of India (“Authority”) appointed under the Act will provide or endorse Codes of Practices.
GDPR Style Penalties: Upto 4% of global turnover in some cases;
Criminal penalties also introduced for limited cases;
Phased manner of implementation once the law is implemented.
To summarize, whilst we believe that the Draft Bill does have its share of positives, in several places the Draft Bill is either ambiguous / not clear or imposes excessive obligations on Data Fiduciaries and prescribes disproportionate punishments. Several factors are left to be determined through Codes of Practices or to be determined by the Government at a later stage. Therefore, at this stage the full impact of the proposed law cannot be comprehended in entirety.
In several respects, we note the Draft Bill appears to have borrowed heavily from the recently notified E.U. General Data Protection Regulation (“GDPR”). Given the infancy at which the GDPR is at this stage, it would be imperative that law makers provide for enough flexibility for the law to be altered on the basis of global experiences. Further, we find that even the current basic law under the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“2011 Rules”) has yet not been implemented fully even after 7 years. Therefore, implementation will be key to this fairly detailed and somewhat cumbersome law.
We hope that the law is made more balanced by diluting some of the draconian provisions as well as by issuing clarifications on the points that are not clear, after public consultation. Therefore, ideally, once the MeitY finalizes the draft, it should place such law in the public domain and provide stakeholders an opportunity to provide further inputs, before the law is placed before parliament.
We have set out in our detailed analysis below the possible implications that it may have on businesses, including offshore companies doing business in India. As we continue to read, debate and delve deeper into the wording of the law, our views on several of these issues may evolve.
To summarize, while the Draft Bill does have its share of positives, in several places the Draft Bill is either ambiguous / not clear or imposes excessive obligations on Data Fiduciaries and prescribes disproportionate punishments. It also seems to have certain unintended consequences for start ups/non digital businesses in terms of imposing exposing them to excessive compliances.
Our detailed analysis of the Draft Bill is available here.