Skip to content

Discerning Data

  • About Us
  • Additional Resources
  • Contact Us

DISCERNING DATA

A Faegre Drinker Blog Covering the Latest in Privacy, Cybersecurity and Data Strategy

  • Privacy
  • Cybersecurity
  • Data Strategy
  • Disruptionware

India Releases Draft Personal Data Protection Regulation

Share

India has released the much-anticipated first draft of the Personal Data Protection Bill, 2018, the country’s first comprehensive data protection regulation. The proposed bill is currently under review by India’s Ministry of Electronics and Information Technology and will likely be introduced in Parliament this year.

Recognizing the right to privacy as a fundamental right, the proposed bill seeks:

“to protect the autonomy of individuals in relation with their personal data, to specify where the flow and usage of personal data is appropriate, to create a relationship of trust between persons and entities processing their personal data, to specify the rights of individuals whose personal data are processed, to create a framework for implementing organisational and technical measures in processing personal data, to lay down norms for cross-border transfer of personal data, to ensure the accountability of entities processing personal data, to provide remedies for unauthorised and harmful processing, and to establish a Data Protection Authority for overseeing processing activities.

The bill outlines requirements and limitations for the lawful collection and processing of personal data and sensitive personal data. It defines “personal data” as:

“data about or relating to a natural person who is directly or indirectly identifiable, having regard to any characteristic, trait, attribute or any other feature of the identity of such natural person, or any combination of such features, or any combination of such features with any other information.”

The bill defines “Sensitive Personal Data” as “personal data revealing, related to, or constituting” a variety of categories, including financial data, health data, biometric data, and genetic data.

The bill confers certain rights to data principals, similar to those of European data subjects under the GDPR, such as the right to confirmation and access, the right to correction, the right to data portability, and the right to be forgotten. It also creates the Data Protection Authority of India, a new regulatory agency which would have the authority to investigate and fine entities in non-compliance with the law. The bill also requires organizations to appoint a Data Protection Officer, conduct data protection impact assessments, and implement various information security safeguards, including the use of de-identification and encryption methods, as well as mechanisms to protect data integrity. Moreover, the bill also carves out some exemptions to data processing restrictions for issues relating to the security of the State; the prevention, detection, investigation, and prosecution of contraventions of law; for legal proceedings, research, archiving or statistical purposes; personal or domestic purposes; journalistic purposes; and manual processing by small entities.

Importantly, the proposed bill outlines obligations and restrictions on the cross-border transfer of personal data. Introducing a concept known as “data mirroring,” the bill requires one copy of all personal data subject to the bill to be stored (on a server or data center) within India, unless exempted by the government. Furthermore, the proposed bill implements a data localization mandate by requiring “critical personal data” to be stored only in India; however, the government is tasked with establishing which categories of personal data will qualify as “critical personal data.”

Similar to the penalties under the GDPR, violations of provisions under the proposed bill, including registration with the Data Protection Authority and for data breach response, will result in penalties of up to Rs. 50 million Rupees (approximately $710,000 USD as of this post) or 2 percent of global annual turnover of the preceding financial year, whichever is higher. Violations of other provisions under the proposed bill, including the processing and foreign transfers of personal data, result in penalties up to Rs. 150 million Rupees (approximately $2,130,000 USD) or 4 percent of global annual turnover of the preceding financial year, whichever is higher.

India’s Ministry of Electronics and Information Technology invites public comment through September 10, 2018.

The material contained in this communication is informational, general in nature and does not constitute legal advice. The material contained in this communication should not be relied upon or used without consulting a lawyer to consider your specific circumstances. This communication was published on the date specified and may not include any changes in the topics, laws, rules or regulations covered. Receipt of this communication does not establish an attorney-client relationship. In some jurisdictions, this communication may be considered attorney advertising.

Receive Email Alerts to New Articles

SUBSCRIBE

August 15, 2018
Written by: Discerning Data Editorial Board
Category: Cybersecurity, Privacy
Tags: Data Protection Authority, GDPR, India, personal data, Personal Data Protection Bill 2018, privacy

Post navigation

Previous Previous post: New Biometrics and Geolocation Legislation Proposed in U.S. Senate, More States Consider Similar Laws
Next Next post: CMS Releases Final Rule for Promoting Interoperability Program

Search the Blog

Sign Up for Email Alerts

PODCASTS

Faegre Drinker on Law and Technology

©2023 Faegre Drinker Biddle & Reath LLP. All Rights Reserved. Lawyer Advertising.

  • About Us
  • Additional Resources
  • Contact Us
We use cookies to improve your experience with our website. By browsing our site, you are agreeing to the use of cookies. For more information about how we use cookies, please review our privacy policy and cookie policy. OK
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT