In the last months, India’s privacy laws have been discussed a lot. Now, India has released the much-anticipated first draft of the Personal Data Protection Bill 2018.
First data protection law for India
It is the first draft of the first data protection regulation in India and has therefore been awaited for a long time. It shall be introduced in Parliament this year. The provisions will form the framework for India’s data protection laws, stipulating how organisations should collect, process, and store citizens’ data.
As the National Law Review reports, the proposed bill seeks:
“to protect the autonomy of individuals in relation with their personal data, to specify where the flow and usage of personal data is appropriate, to create a relationship of trust between persons and entities processing their personal data, to specify the rights of individuals whose personal data are processed, to create a framework for implementing organisational and technical measures in processing personal data, to lay down norms for cross-border transfer of personal data, to ensure the accountability of entities processing personal data, to provide remedies for unauthorised and harmful processing, and to establish a Data Protection Authority for overseeing processing activities.”
What is personal data?
The bill outlines requirements and limitations for the lawful collection and processing of personal data and sensitive personal data. It defines “personal data” as:
“data about or relating to a natural person who is directly or indirectly identifiable, having regard to any characteristic, trait, attribute or any other feature of the identity of such natural person, or any combination of such features, or any combination of such features with any other information.”
Does that sound familiar? Yes, it reads a bit as Art. 4 (1) of the GDPR…
Similarities with GDPR
And this is not the only thing which sounds familiar: data subjects will have certain rights (i.e. to access their data), a right to data portability exists and a right to be forgotten will also be available for data subjects. However, this right to be forgotten does not allow Indians to ask companies to completely delete data they have shared (that is the practice under the GDPR in Europe). The “right to be forgotten” suggested in the Indian bill only allows data subjects to restrict companies from using their data as Quartz India reports.
The new Indian bill also proposes the role of a Data Protection Officer who has similar functions to the one under the GDPR. Companies will also need to implement appropriate technical and organizational measures such as encryption in order to be compliant with the new law.
If provisions under the proposed bill are infringed, sanctions up to Rs. 50 million Rupees (approximately $710,000 USD) or 2 percent of global annual turnover of the preceding financial year, whichever is higher, or Rs. 150 million Rupees (approximately $2,130,000 USD) or 4 percent of global annual turnover of the preceding financial year, whichever is higher, are possible.