What India’s data protection law might mean for your business
Sep 11th 2018 A-A+

India has taken a step forward towards laying down a proper policy for data protection. The Srikrishna Committee, a 10-member expert committee headed by former Supreme Court judge BN Srikrishna and appointed by the Indian government in August 2017 to “identify key data protection” issues finally submitted a report and a draft bill providing a legal framework for data privacy in the country in the end of July.

The full 213-page report along with the 67-page draft bill can be read on the Ministry of Electronics & Information Technology’s website and provides a detailed insight into the contours of how data protection in India could look like. While everything is still in theory and the Srikrishna panel have only provided a draft bill which needs to be passed by the Parliament, any policy which comes into place will most probably not diverge a lot from the bill in question. In that context, it is important for businesses, small and big, to analyse, understand and if required, start making the required changes.

For businesses, the following key points need to be taken note of:

  • The bill proposes that the new upcoming law will have jurisdiction for any data processed in India. Even for data collectors, which the report refers to as “data fiduciaries”, which are not present in India but carry activities that affect data principals would fall under the purview of this law.
  • An independent regulatory body called the Data Protection Authority (DPA) will be set up by the law which will be responsible for the effective enforcement of the law.
  • Certain data fiduciaries, which are categorized by the DPA as significant data fiduciaries “based on their ability to cause greater harm to data principals as a consequence of their data processing activities”. These significant data fiduciaries will have to undertake obligations such as (i) Registration with the DPA; (ii) Data Protection Impact Assessments; (iii) Recordkeeping; (iii) Data audits; and (iv) Appointment of a Data Processing Officer. The DPA can require that any other data fiduciaries may have to undertake these obligations as well.
  • Similar to the European Union’s General Data Protection Regulation (GDPR), penalties may be imposed upon data fiduciaries and compensation may be awarded to data principals for violation of data protection law. The penalties imposed would be an amount up to the fixed upper limit or a percentage of the total worldwide turnover of the preceding financial year, whichever is higher.
  • Sensitive personal data will include passwords, financial data, health data, official identifier, sex life, sexual orientation, biometric and genetic data, and data that reveals transgender status, intersex status, caste, tribe, religious or political beliefs or affiliations of an individual.
  • Consent will be a lawful basis for processing of personal data. For consent to be valid it should be “free, informed, specific, clear and capable of being withdrawn”.
  • All processing of personal data by data fiduciaries must be fair and reasonable.
  • There shall be obligations of data quality and storage limitation on data fiduciaries.
  • The right to data portability, subject to limited exceptions, should be included in the law.
  • The right to be forgotten may be adopted, with the Adjudication Wing of the DPA determining its applicability on the basis of certain criteria.
  • Personal data determined to be critical will be subject to the requirement to process only in India
  • Other types of personal data (non-critical) will be subject to the requirement to store at least one serving copy in India
  • In the draft of the bill provided, any offence punishable under it has been categorized as cognizable and non-bailable

There are various other points but these are the major points which will have an effect on the way business do operations in India. Hence, for many multinational corporations like Facebook, Google or Whatsapp, they will have to ensure that the data they collect from Indian users is protected under the data protection day. They will also be required to store a copy in India which may increase costs of servers.

The other important part is that data fiduciaries which are considered “significant” will also be have to ready to undergo various different compliance measures which they must prepare for from now. The Data Protection Bill 2018, while having not come into effect as yet, surely shows the way for a future framework of data legislation in India. Businesses must take heed and start laying the groundwork for now so they are not caught unprepared when it comes into effect.

What India’s data protection law might mean for your business

India has taken a step forward towards laying down a proper policy for data protection. The Srikrishna Committee, a 10-member expert committee headed by former Supreme Court judge BN Srikrishna and appointed by the Indian government in August 2017 to “identify key data protection” issues finally submitted a report and a draft bill providing a legal framework for data privacy in the country in the end of July.

The full 213-page report along with the 67-page draft bill can be read on the Ministry of Electronics & Information Technology’s website and provides a detailed insight into the contours of how data protection in India could look like. While everything is still in theory and the Srikrishna panel have only provided a draft bill which needs to be passed by the Parliament, any policy which comes into place will most probably not diverge a lot from the bill in question. In that context, it is important for businesses, small and big, to analyse, understand and if required, start making the required changes.

For businesses, the following key points need to be taken note of:

  • The bill proposes that the new upcoming law will have jurisdiction for any data processed in India. Even for data collectors, which the report refers to as “data fiduciaries”, which are not present in India but carry activities that affect data principals would fall under the purview of this law.
  • An independent regulatory body called the Data Protection Authority (DPA) will be set up by the law which will be responsible for the effective enforcement of the law.
  • Certain data fiduciaries, which are categorized by the DPA as significant data fiduciaries “based on their ability to cause greater harm to data principals as a consequence of their data processing activities”. These significant data fiduciaries will have to undertake obligations such as (i) Registration with the DPA; (ii) Data Protection Impact Assessments; (iii) Recordkeeping; (iii) Data audits; and (iv) Appointment of a Data Processing Officer. The DPA can require that any other data fiduciaries may have to undertake these obligations as well.
  • Similar to the European Union’s General Data Protection Regulation (GDPR), penalties may be imposed upon data fiduciaries and compensation may be awarded to data principals for violation of data protection law. The penalties imposed would be an amount up to the fixed upper limit or a percentage of the total worldwide turnover of the preceding financial year, whichever is higher.
  • Sensitive personal data will include passwords, financial data, health data, official identifier, sex life, sexual orientation, biometric and genetic data, and data that reveals transgender status, intersex status, caste, tribe, religious or political beliefs or affiliations of an individual.
  • Consent will be a lawful basis for processing of personal data. For consent to be valid it should be “free, informed, specific, clear and capable of being withdrawn”.
  • All processing of personal data by data fiduciaries must be fair and reasonable.
  • There shall be obligations of data quality and storage limitation on data fiduciaries.
  • The right to data portability, subject to limited exceptions, should be included in the law.
  • The right to be forgotten may be adopted, with the Adjudication Wing of the DPA determining its applicability on the basis of certain criteria.
  • Personal data determined to be critical will be subject to the requirement to process only in India
  • Other types of personal data (non-critical) will be subject to the requirement to store at least one serving copy in India
  • In the draft of the bill provided, any offence punishable under it has been categorized as cognizable and non-bailable

There are various other points but these are the major points which will have an effect on the way business do operations in India. Hence, for many multinational corporations like Facebook, Google or Whatsapp, they will have to ensure that the data they collect from Indian users is protected under the data protection day. They will also be required to store a copy in India which may increase costs of servers.

The other important part is that data fiduciaries which are considered “significant” will also be have to ready to undergo various different compliance measures which they must prepare for from now. The Data Protection Bill 2018, while having not come into effect as yet, surely shows the way for a future framework of data legislation in India. Businesses must take heed and start laying the groundwork for now so they are not caught unprepared when it comes into effect.