India’s Personal Data Protection Bill: What U.S. Companies Need to Know
Kegler Brown Global Business News August 27, 2018
- India’s Ministry of Electronics and Information Technology is considering the Personal Data Protection Bill, 2018
- The bill states that “the right to privacy is a fundamental right and it is necessary to protect personal data...”
- Its rules apply to any business that interacts with Indian businesses or citizens
- Many aspects of the bill are similar to the EU’s GDPR
- The bill addresses issues of individual privacy rights, data collection and consent, and creates the Data Protection Authority of India
With the drafting of the Personal Data Protection Bill, 2018 (the bill), the Republic of India is demonstrating a major concern for personal data privacy. The bill states that “the right to privacy is a fundamental right and it is necessary to protect personal data as an essential facet of informational privacy.”
Among several points, the bill is intended to “protect the autonomy of individuals… ensure the accountability of entities processing personal data… specify the rights of individuals whose personal data are processed,” and “establish a Data Protection Authority for overseeing processing activities.”
Many of the bill’s aspects may bring to mind the EU’s recently enacted General Data Protection Rules (GDPR), and similar to the lead-up to the GDPR’s effective date, companies that do business with or in India may have much to review as far as operations and procedures in order to be in compliance. As with any new law, it is hard to predict all the possible hurdles and new challenges a business may face.
The bill has been submitted to the Ministry of Electronics and Information Technology for consideration and should be introduced in Parliament sometime later, which means it still has a way to go before taking effect. Although some changes could occur during this process, the majority of the bill is expected to be passed into law. Therefore, below are ten of the most significant features businesses need to know about India’s new personal data protection bill.
The bill applies to any business that interacts with Indian businesses or citizens
- The broad language of the bill indicates that any U.S. company that does business, directly or indirectly, with Indian companies or citizens will be subject to the new data privacy law.
The bill imposes a fiduciary duty upon businesses processing data
- Data processing must be imposed in a fair and reasonable manner. Further, a data processor must respect the privacy of the data principal and is subject to a duty of care. This heightened duty of care will be a new feature of India’s data privacy laws.
The purpose of collection of personal data must be clear and for reasonable purposes
- The bill mandates that personal data, which is defined broadly as “data about or relating to a natural person who is directly or indirectly identifiable” from the data, may only be collected “for purposes that are clear, specific, and lawful.” Any collection of data must be reasonable in light of its purpose.
- The collection of data is also limited to what is necessary, and notice must be provided before or at the time of date collection.
Generally, personal data may only be collected with consent
- Consent must be “free, informed, specific, clear, and capable of being withdrawn.”
- Further, if the business wishes to collect sensitive personal data, then there are heightened consent requirements. Sensitive personal data is broadly defined but relates to any financial, health, or other personal status.
- Consent is not required if the data is collected for employment purposes or in the case of an emergency.
Children under the age of 18 may not be tracked
- Businesses must implement proper age verification and parental consent. Businesses that target children may not profile, track, monitor, advertise, or otherwise undertake any data processing that may cause significant harm to children.
Subjects of data processing have rights
- If requested, a business must provide a summary of the data it has processed in a clear and concise manner that is easily comprehensible to a reasonable person, among other things. However, the business need not comply with a request if complying would harm the rights of others.
- Any breach of privacy that is likely to cause harm to any data principal must be reported to the Data Protection Authority of India. Data processors are also required to keep a local copy of personal data in Indian data centers.
- Data subjects also have a right to be forgotten.
The bill creates the Data Protection Authority of India
- The Data Protection Authority is an independent regulatory body that is responsible for the implementation of the bill.
- The Data Protection Authority may create more rules and regulations regarding data processing, and businesses should be aware of any such future rules.
It sets heightened responsibilities for “significant data fiduciaries”
- The Data Protection Authority of India may classify some data processors as “significant data fiduciaries” based on various factors: volume, sensitivity of data, risk of harm, and “any other factor relevant in causing harm to any data principal.”
- If a data processor is deemed to be a significant data fiduciary, then they are subject to the following requirements: data impact protection assessments, heightened record keeping, data audits, and they must appoint a data protection officer.
The bill features both civil and criminal penalties
- There are two tiers of civil penalties. The first applies to breaches of notification and other requirements, and the second applies to more severe breaches in processing personal data.
- Prison sentences ranging from 3 to 5 years can be levied against those who “knowingly, intentionally, or recklessly obtain, disclose, transfer or sell personal or sensitive personal data.”
The bill will be implemented in stages
- If the bill is enacted by Congress, the provisions regarding the Data Protection Authority of India will take effect immediately. The Data Protection Authority of India will be set up in 3 months, then the Data Protection Authority of India will issue certain rules within 12 months, and finally the substantive provisions will become effective 18 months from the bill’s enactment.
This is a complex bill with many issues that can’t fit within the limits of a single list. Overall, it will significantly expand the protections of personal data stemming from India and create great responsibility for those collecting such data.
Looking forward, there are many unknowns with this piece of legislation and much for U.S. businesses to consider if they are engaged in data collection associated with the Republic of India, its companies, or its citizens. For more information or guidance on this bill and how it may impact your business, please contact Vinita Mehra at [email protected].
This article was prepared with the assistance of summer associate Cody Myers.