India lays a much needed cornerstone as it moves towards a digital economy, by introducing the draft Personal Data Protection Bill, 2018. This bill follows in the footsteps of the Hon'ble Supreme Court of India's landmark judgement, declaring privacy as a fundamental right of an individual. The Srikrishna Committee, which was responsible for drafting the bill, has noted that a legal framework needs to be formulated that can act as a template for developing countries across the world. Such a legal framework is essential if India is to shape the global digital landscape in the 21st century, as envisaged by the government of India by virtue of their initiatives such as "Digital India" and "Make in India."
While drafting the data protection bill, the committee has taken into account three key approaches to data protection that are currently adopted by other countries. The sectoral approach of the U.S., the omnibus regulatory approach of the EU and China’s approach of data protection for averting national security risks have been duly deliberated upon by the experts for coming up with the draft bill.
The Indian legislature has awarded the sense of rightfulness in the individual by calling them “data principals” and pronounced a duty of trust for organizations by calling them “data fiduciaries.” While their European counterpart has termed individuals whose personal data is being processed as “data subjects” and organizations responsible for determining the purpose of processing “data controllers.”
Data principals have been granted a number of rights, such as rights to access, correction, data portability and the right to be forgotten. Failure to adhere to the timelines for responding to a data principal’s request will result in a penalty of INR 5000 for each day during which the default continues, to a maximum of INR 1 million. Compliance requirements have been further strengthened by introducing the concept of an annual data audit, which is to be carried out by organizations through independent data auditors.
The draft bill introduces a set of new obligations such as periodic data audits, maintaining the records of data processing and performing data protection impact assessments. These obligations are alien to a large number of Indian organizations as they have not adopted a data-centric approach from the get-go, and therefore, will have a significant compliance challenge to overcome.
The obligations identified in the draft bill will be applicable not only to data fiduciaries established in India, but also to data fiduciaries carrying out the systematic activity of offering goods and services to data principals in India or performing any activity that involves profiling of data principals within the territory of India.
Organizations involved in high-risk processing activities have been classified as “significant data fiduciaries” and will be required to appoint a data protection officer. Further, organizations not present in India but under the scope of the bill will be required to appoint a DPO who is based in India. This is similar to the obligation placed upon organizations by the GDPR and will ensure organizations are adequately advised on their data protection obligations. While the GDPR requires the DPO to be independent, no such requirements have yet been identified by the proposed bill. Compliance requirements have been further strengthened by introducing the concept of annual data audits to be carried out by organizations through independent data auditors.
The draft bill adopts a restrictive approach when it comes to cross border data transfer by requiring data fiduciaries to store at least one copy of personal data on servers or data centers located in India. Further, the bill has also tasked the central government with the responsibility of identifying categories of personal data that shall be classified as critical personal data. Critical personal data shall only be processed in a server or data center that is located in India. Such restrictions on cross border transfer of personal data may be difficult to enforce and at the same time increase the cost of processing for organizations. While large organizations may be willing to invest in new servers where they would want to operate, small and medium-sized businesses may find it much more difficult to move away from cheaper foreign cloud service providers.
A data protection authority for India, DPAI, will also be established under the draft bill. This authority has been tasked with identifying timelines for response to data principals rights requests, data breach notifications, and also for enforcing application of provisions of the draft bill. In cases of noncompliance, the DPAI may award fines of amount up to 2 percent of a company's total worldwide turnover or INR 50 million, whichever is higher, for data fiduciaries and up to 4 precent of total worldwide turnover or INR 150 million, whichever is higher, for significant data fiduciaries. Organizations will be granted a transition period of 12 months post the enactment of the bill for ensuring compliance. This period is seemingly low based on the lessons learnt from the implementation of the GDPR, which placed similar obligations upon organizations.
The dawn of a new data protection regime in India heralds an opportunity which should be firmly grasped by organizations. It is imperative that data protection is taken up as a key boardroom agenda. Just as the bill leverages upon data protection legislations across the world, so should organizations leverage upon the lessons learnt in compliance journeys of various organizations to such regulations.
photo credit: Meanest Indian Doorway Tiranga via photopin (license)