One more country has jumped on the data privacy reform bandwagon. India is soon expected to enhance restrictions. Protections could extend even further than the EU’s General Data Protection Regulation (GDPR). This legislative overhaul has been a five-year long journey, with a 2017 Supreme Court decision kicking it off by concluding that privacy is a fundamental right. Soon thereafter, a privacy bill emerged and has been sitting with India’s Parliament for over two years. The joint committee reviewing the bill finally issued a report last December outlining some revisions.

Positioned as one of the largest open internet markets and a major hub for offshore outsourcing projects, a comprehensive India data privacy law has the potential to make a lot of waves and influence privacy landscapes all over the world. Some analysts expected it to pass into law this spring, but recent reports indicate that India may create an entirely new bill. This would address fears that certain provisions would inhibit India’s growing startup and tech industries, and also some global concerns. For example, the U.S. has expressed apprehension over how restrictions on cross-border transfers and data localization requirements could compromise safe data travel.

Key Provisions

Whether the current bill passes or a new one takes the stage altering some debated provisions, India is on the verge of drastically changing their data privacy framework in the very near future. Here are some important changes that would stem from passage of the pending bill, as proposed:

1. Collection and processing activities applying to personal and non-personal data of Indian residents would fall under the law’s purview but be afforded different layers of protection. In addition to organizations located in-country, the law would also apply to data fiduciaries and processors situated outside of India. Notice of use, prior consent, and limitations exist to help balance interests of data subjects and fiduciaries.

2. Data fiduciaries have several responsibilities when it comes to handling information. Major duties include creating “privacy by design” models; being transparent with process and algorithm usage; and providing comprehensive notice to data subjects that also contains information about things like retention policies or cross-border transfers.

3. The right to data portability would exist even when dealing with trade secrets. Data portability denials are only appropriate when technically unfeasible.

4. A data protection authority (DPA) composed of no more than six individuals would be responsible for compliance monitoring and enforcement. The DPA must include the attorney general and a director from both the Indian Institute of Management and Indian Institute of Technology. Some key responsibilities would encompass regulating and limiting personal data usage, creating accountability standards for organizations to follow, fostering trust, and establishing penalties for non-compliance. In addition to the creation of a regulatory body in India, each organization subject to the law would need to appoint data protection officers to help attain compliance.

5. When dealing with cross-border transfers, the DPA would need to consult the government before issuing approval for a contract or intra-group scheme. Anything against public or state policy would be denied, which leaves broad discretion up to the government.

6. For breaches involving both personal and non-personal data, organizations must provide notification within 72 hours of awareness. The DPA could direct an organization to adopt urgent measures to boost remediation efforts.

7. The law would impose data localization requirements, mandating that critical data be processed in India. Sensitive personal data could be transferred to another country, but a copy would need to remain stored in-country. The bill also directs the government to issue a detailed policy on data localization practices.

8. The government could create sandbox environments for testing new products, tech, and services. This is meant to help startups incorporate “privacy by design” while still advancing innovation.

9. Social media platforms would be viewed as publishers and therefore responsible for hosted content posted by third parties. Designating a media regulatory authority may result to help with this feat.

10. The government can set up a testing site for hardware and software present on IoT and digital devices. This would help ensure that manufacturers appropriately secure devices.

Looking Ahead

It is critical to keep informed of any changes that occur if tweaks are made before passage or a new bill emerges. Organizations in India and those located abroad that collect data of Indian residents, process and store non-resident data in offshore facilities located in India or anticipate cross-border transfers involving India all need to monitor what happens with the pending bill closely. Major change may occur in a new bill in areas where domestic and international controversy exists around proposed requirements – data localization, cross-border transfers, startup activity, and social media platforms. However, if the current bill ends up passing as is then interpretation of such provisions would be crucial to understand compliance obligations.

Regardless of when new legislation passes and what revisions ensue, proactivity cultivates success. Organizations may update compliance programs, create new data policies, hold trainings, explore tech solutions that promote privacy by design and provide valuable data insights, compare obligations between privacy laws, and reevaluate business models if the burden associated with offshore activities heightens.

Also note how India’s approach to privacy influences moves made by other countries. It is not a coincidence that the EU recently introduced draft legislation that would provide protections to non-personal data, which the GDPR does not currently cover. To avoid interference with expansion of the country’s digital economy, a successful law needs to balance this interest with consumer privacy rights and compliance burdens. Just as with other data privacy laws, enforcement will help with this feat and also establish a baseline for what is acceptable and where gaps still exist.

If you found this blog useful, consider reading Privacy Roundup Part Two: Significant International Updates.