India’s data protection regime: Are you ready for the change?

By Santosh Pai and Yosham Vardhan, Link Legal India Law Services
0
1853
LinkedIn
Facebook
Twitter
Whatsapp
Telegram
Copy link

What are the opportunities and risks for Chinese investors once the personal Data Protection Bill 2019 is approved?

With more than 560 million users, India is now the second-largest online market in the world after China. With increasing internet penetration, debates around data theft and privacy have come to the forefront, and data protection has become a national priority.

personal data
Santosh Pai
Partner
Link Legal India Law Services

The Supreme Court of India elevated “right to privacy” to the status of a fundamental right under the Constitution of India when it delivered its judgment in Justice KS Puttaswamy (retd) & Anr v Union of India and Ors on 24 August 2017. Almost three years later, the wait for India’s first comprehensive legislation to regulate data is drawing to an end.

Existing privacy obligations in India are contained in the Information Technology Act, 2000, and deal with sensitive personal data or information including financial, physical, health, biometric information, etc. The law prescribes civil and criminal sanctions for non-compliance with privacy obligations. The proposed legislation is awaiting approval from parliament as the Personal Data Protection (PDP) Bill 2019. The PDP bill is largely modelled along the lines of the EU’s General Data Protection Regulation (GDPR), which came into force in May 2018, with one significant difference being the requirement for localization of data and strict restrictions on the cross-border transfer of data.

personal data
Yosham Vardhan
Associate Partner
Link Legal India Law Services

The PDP bill recognises three kinds of data: (1) personal data (which is wide enough to include any and all data relating to a natural person that could identify him/her); (2) sensitive personal data (SPD) such as financial, health, sexual orientation and biometrics; and (3) critical personal data (not defined under the PDP bill at present). It also empowers the data principals – defined as a natural person to whom the personal data relates – by conferring on them the right to confirmation and access, correction and erasure, data portability, and the right to be forgotten.

The entities recognised under the PDP bill are data processor (similar to the processor concept of GDPR), data fiduciary (similar to the data controller concept of GDPR), and significant data fiduciary, which is a class of data fiduciary. The PDP bill also proposes the establishment of a specialized regulator, the Data Protection Authority of India (DPA), conferred with vast powers for the purposes of inter alia protection of privacy of individuals, and regulation of personal data such as laying down regulations for protection of rights of data principals, standards of anonymization, and notification of data breach.

You must be a subscribersubscribersubscribersubscriber to read this content, please subscribesubscribesubscribesubscribe today.

For group subscribers, please click here to access.
Interested in group subscription? Please contact us.

你需要登录去解锁本文内容。欢迎注册账号。如果想阅读月刊所有文章,欢迎成为我们的订阅会员成为我们的订阅会员

已有集团订阅,可点击此处继续浏览。
如对集团订阅感兴趣,请联络我们

LinkedIn
Facebook
Twitter
Whatsapp
Telegram
Copy link