The Committee of Experts entrusted with creating a data protection framework for India released India’s long-awaited draft Personal Data Protection Bill, 2018, on 27 July. The draft bill proposes a comprehensive data protection framework to protect data privacy specifically in the digital economy. The committee, chaired by BN Saikrishna, a retired Supreme Court judge, was constituted in August 2017 by the Ministry of Electronics and Information Technology, and held over a year of deliberations and public consultations.

Obligations for data fiduciaries

The highlights of the draft bill include its extra-territorial applicability, making it applicable to foreign data processors/fiduciaries insofar as they have a business connection in India or carry on activities involving profiling of individuals in India. These obligations are to be imposed on the basis of criticality of data, distinguished as personal data, sensitive personal data and critical personal data. The term “data processor” and “fiduciary” have been defined to include any person (natural/juristic) including the state. However, the term “data principal” has been defined to include a natural person only. The draft bill introduces extensive rights for the data principal such as data portability, right to be forgotten, and right to correction, confirmation and access of the data.

The draft bill has proposed various obligations on data fiduciaries such as notice requirements that are clear, concise and comprehensible, as well as the duty to secure the individual’s data, in accordance with principles of purpose limitation, collection limitation, maintenance of data quality and storage limitation. The draft bill recognizes fair and reasonable grounds for processing, in addition to a consent requirement for collection of not only sensitive personal data but personal data as well.

Additionally, the concept of privacy by design and a data breach notification system are introduced. Further, a mandatory registration requirement has been imposed on data processors who conduct high-risk processing. Such processors are also required to implement trust scores, data audits, and a data protection impact assessment.

To guarantee compliance, European Union General Data Protection Regulation-style penalties, extending up to 4% of global turnover in some cases of violation have been proposed. Criminal penalties have also been proposed in limited cases.

Location of data storage

The draft proposes that a copy of all personal data must be stored in India. The government is expected to retain the power to exempt storage of copies of sensitive personal data and, in some cases, cross-border transfers, standard contractual clauses/intra group schemes and possible adequacy requirements may be transferred to jurisdictions approved by the government. Additionally, the government may notify that certain types of personal data (i.e. critical personal data) must be processed in a server or data centre located in India.

Sweeping data localization norms have also been imposed on India’s payment sector. Recently, the Reserve Bank of India issued a circular called Storage of Payment System Data, addressed to all licensed payment systems (including banks, prepaid payment instruments and card payment networks like MasterCard, Visa, etc.). This circular requires all payment systems to store their “entire data related to online payment systems in India”. This information should include: “full end-to-end transaction details/information collected/carried/processed as part of the message/payment instruction”. Exemptions have only been provided to “data of a foreign leg of a transaction”.

The business law digest is compiled by Nishith Desai Associates (NDA). NDA is a research-based international law firm with offices in Mumbai, New Delhi, Bengaluru, Singapore, Silicon Valley, Munich and New York. It specializes in strategic legal, regulatory and tax advice coupled with industry expertise in an integrated manner.