India’s New and Substantial Draft Data Privacy Bill

The expert committee set up by the Government of India recently published a new draft data privacy draft bill called the Personal Data Protection Draft bill 2018 along with a detailed companion report. This significant development brings India closer to a comprehensive law for personal data protection. The draft bill is modelled on the European Union’s General Data Protection Regulation (GDPR). If enacted into law, the draft bill would impose significant obligations on organizations, whether operating inside or outside India, including mandatory localization of personal data. The Government of India has invited comments to the draft bill by 30 September 2018.

Certain key highlights of the draft bill are:

  1. Modelled on (but not identical to) the GDPR: As noted above, the draft bill draws significantly from the GDPR in that it applies to the “processing” of “personal data” and “sensitive personal data”. Sensitive personal data is subject to a more protective regime under the draft bill (akin to the GDPR). The draft bill also uses similar terminology in that (for example) it refers to “data fiduciaries”, data processors and “data principals” (akin to the GDPR’s “data subjects”). While data fiduciary concept is modelled on the GDPR’s controller concept, the use of “fiduciary” in lieu of “controller” is intentional in that such organizations are intended to have a fiduciary responsibility vis-à-vis data principals. Similar to the GDPR’s concepts of “risk” and “high risk”, the draft bill seeks to calibrate certain obligations by reference to the likelihood of “harm” or “substantial harm” to data principals. However, the draft bill also contains significant differences from the GDPR that organizations should carefully consider. For example, unlike under the GDPR, sensitive personal data under the draft bill includes financial data and passwords, which would increase organization’s regulatory burdens.
  2. Extraterritorial application: The draft bill would apply to organizations present within India, but importantly, it would also apply to organizations present outside India (reflecting principles similar to the GDPR). In particular, it would apply to the processing of personal data by organizations present outside India if the data processing occurs in connection with (i) business operations in India; (ii) offering of goods and services to data principals in India; or (ii) the profiling of data principals in India. The government is allowed to exempt certain data processing activities from the application of the law (for example, the processing of personal data relating to data principals who are not in India).
  3. Data localization requirements: The draft bill provides that if personal data is deemed by the government to be “critical” it may not be transferred outside India. Even if personal data is not deemed to be “critical” at least “one serving copy” should be stored “on a server or data centre located in India” and the rules regarding international data transfers (as set out below) complied with. It is unclear whether these localization requirements, if implemented, would be consistent with India’s international commitments (for example, under World Trade Organization rules).
  4. Penalties: The draft bill would allow the imposition of potentially significant civil and criminal penalties and sanctions. Fines may be to up to the greater of INR 150m (approximately USD 2m) or 4% of total worldwide revenues of the preceding financial year.
  5. New data privacy regulator: The draft bill establishes a new data privacy regulator for India called the Data Privacy Authority of India (DPAI). It is vested with significant powers, including interpreting the law, investigating organizations, and imposing civil and criminal penalties. The DPAI would at least in certain respects have more powers than EU data protection authorities under the GDPR (for example, the DPAI may make rules (for example) that broaden the definition of “sensitive personal data”).
  6. Legal grounds for processing: The legal grounds for processing personal data under the draft bill, while broadly similar to the GDPR (for example, allowing reliance on consent), the ground are, in certain respects, narrower than under the GDPR. For example, unlike the GDPR, the draft bill does not allow an organization to process personal data on the basis that it is necessary to perform a contract. In addition, organizations may process personal data relying on the new “reasonable purposes” ground (akin to the GDPR’s legitimate interest ground). However, the DPAI is allowed to regulate the use of this ground and it is, therefore, unclear how easily available this ground may be relied upon in practice.
  7. Restrictions regarding international data transfers: Personal data may not be transferred outside India unless conditions that are set out in the draft bill (which are similar to the conditions in the GDPR) have been satisfied. For example, transfers may occur if it is (i) made subject to standard contractual clauses or “intra-group schemes” that have been approved by the DPAI; or (ii) to a country which has been approved by the government on the basis that it “adequately” protects personal data. While no countries have as yet been approved, the Government of India may well require that any “adequacy” decisions it makes in favour of a country be reciprocated by that country. Therefore, for example, it could potentially seek to treat the EU as “adequate” only if the EU, in turn, treated India as “adequate” for data transfers under the GDPR. In fact, considering the extent of regulatory alignment between the draft bill and the GDPR, such reciprocal recognition is not an inconceivable outcome.
  8. Personal data breach notification: Data fiduciaries are required to notify as soon as possible the DPAI of a personal data breach if it is “likely to cause harm to any data principal”. The DPAI will thereafter determine whether affected data principals also need to be notified. The DPAI is required to issue additional guidance in this area (including with respect to the thresholds and timescales for notification).
  9. Rights of data principals: The draft bill would give data principals new rights, including a right to: obtain a copy of their personal data from data fiduciaries, correct inaccurate personal data, receive personal data in a portable data format, to have their data erased (the so-called right to be forgotten). While these are similar to comparable rights under the GDPR, in certain respects there are notable differences (for example, an individual’s data is required to be erased in connection with the right of erasure only applies if the regulator has determined that the necessary conditions have been satisfied).
  10. Obligations of significant data fiduciaries: Organizations which are considered “significant data fiduciaries” are subject to enhanced obligations (for example, conducting data protection impact assessments, record-keeping and appointing data protection officers). Whether an organization is considered a “significant data fiduciary” depends on (for example) the volume and sensitivity of personal data processed, its annual gross revenues, and the risks arising from its processing.
  11. Children’s personal data: The draft bill contains a number of restrictions regarding the processing of children’s personal data (including certain age verification obligations). Importantly, organizations that are deemed “guardian” data fiduciaries may not undertake (for example) any profiling, tracking, targeting advertising or behavioural monitoring directed at children.

Sidley will keep track of developments with respect to the draft bill. Organizations that are potentially subject may wish to consider how it would affect their operations in India and elsewhere (for example, as a result of the data localization requirement).