India has released the much-anticipated first draft of the Personal Data Protection Bill, 2018, the country’s first comprehensive data protection regulation. The proposed bill is currently under review by India’s Ministry of Electronics and Information Technology and will likely be introduced in Parliament this year.

Recognizing the right to privacy as a fundamental right, the proposed bill seeks:

“to protect the autonomy of individuals in relation with their personal data, to specify where the flow and usage of personal data is appropriate, to create a relationship of trust between persons and entities processing their personal data, to specify the rights of individuals whose personal data are processed, to create a framework for implementing organisational and technical measures in processing personal data, to lay down norms for cross-border transfer of personal data, to ensure the accountability of entities processing personal data, to provide remedies for unauthorised and harmful processing, and to establish a Data Protection Authority for overseeing processing activities.

The bill outlines requirements and limitations for the lawful collection and processing of personal data and sensitive personal data. It defines “personal data” as:

“data about or relating to a natural person who is directly or indirectly identifiable, having regard to any characteristic, trait, attribute or any other feature of the identity of such natural person, or any combination of such features, or any combination of such features with any other information.”

The bill defines “Sensitive Personal Data” as “personal data revealing, related to, or constituting” a variety of categories, including financial data, health data, biometric data, and genetic data.

The bill confers certain rights to data principals, similar to those of European data subjects under the GDPR, such as the right to confirmation and access, the right to correction, the right to data portability, and the right to be forgotten. It also creates the Data Protection Authority of India, a new regulatory agency which would have the authority to investigate and fine entities in non-compliance with the law. The bill also requires organizations to appoint a Data Protection Officer, conduct data protection impact assessments, and implement various information security safeguards, including the use of de-identification and encryption methods, as well as mechanisms to protect data integrity. Moreover, the bill also carves out some exemptions to data processing restrictions for issues relating to the security of the State; the prevention, detection, investigation, and prosecution of contraventions of law; for legal proceedings, research, archiving or statistical purposes; personal or domestic purposes; journalistic purposes; and manual processing by small entities.

Importantly, the proposed bill outlines obligations and restrictions on the cross-border transfer of personal data. Introducing a concept known as “data mirroring,” the bill requires one copy of all personal data subject to the bill to be stored (on a server or data center) within India, unless exempted by the government. Furthermore, the proposed bill implements a data localization mandate by requiring “critical personal data” to be stored only in India; however, the government is tasked with establishing which categories of personal data will qualify as “critical personal data.”

Similar to the penalties under the GDPR, violations of provisions under the proposed bill, including registration with the Data Protection Authority and for data breach response, will result in penalties of up to Rs. 50 million Rupees (approximately $710,000 USD as of this post) or 2 percent of global annual turnover of the preceding financial year, whichever is higher. Violations of other provisions under the proposed bill, including the processing and foreign transfers of personal data, result in penalties up to Rs. 150 million Rupees (approximately $2,130,000 USD) or 4 percent of global annual turnover of the preceding financial year, whichever is higher.

India’s Ministry of Electronics and Information Technology invites public comment through September 10, 2018.

The material contained in this communication is informational, general in nature and does not constitute legal advice. The material contained in this communication should not be relied upon or used without consulting a lawyer to consider your specific circumstances. This communication was published on the date specified and may not include any changes in the topics, laws, rules or regulations covered. Receipt of this communication does not establish an attorney-client relationship. In some jurisdictions, this communication may be considered attorney advertising.