Significant changes proposed to Personal data protection law in India

last updated on 5 March 2020 | Reading time approx. 4 minutes

In today’s time, globally data is being recognised as one of the most valuable assets of organisations and triggering the need for a stringent level of data protection. It is against this backdrop that in July, 2017, Government of India though its Ministry of Electronics and Information Technology, formed a committee, to examine and propose changes to the data protection laws in India (which are presently not as advanced and extensive as compared to European countries.)

The committee introduced Personal Data Protection Bill, 2018 (2018 Bill). Thereafter, various stakeholders gave several suggestions and the committee then introduced Personal Data Protection Bill, 2019 (2019 Bill) in the Indian House of People ( Lok Sabha) on 11.12.2019. The Bill presently has been referred to a joint parliamentary committee for approval. It is speculated that the 2019 Bill will be given the shape of a legislation in the near future and we will very soon have the (Indian) Personal Data Protection Act, in force.

Impact on foreign investors

The 2019 Bill once enacted into law will bring India at par with several global jurisdictions in terms of the checks and balances for data protection especially, in line with the European Union’s General Data Protection Regulation (GDPR). The 2019 Bill is modelled on GDPR, but in some forms, is understood to have certain provisions far more stringent than GDPR.

 
2019 Bill has several noteworthy provisions such as scope of applicability, categorisation of data, stringent and detailed notice requirements prior to collection of personal data, consent requirement and parameters, processing and restriction on retention of data, rights of data principal, powers and duties of Data Protection Officer, data localisation, cross border transfers and penalties for breaches. It is critical to have an in-depth understanding of the legislation to ensure preparedness and compliance with the law once the same is enacted.
However, our analysis in this article is limited to certain provisions of the 2019 Bill which would have a direct impact on foreign investors (present and potential) in India while exchanging, processing and otherwise dealing in data.

We deal with three key topics here:

• Overview of Categorisation of Data in the 2019 Bill;
• Extra- Territorial Application of 2019 Bill; and
• Cross Border Data Transfer

Overview of categorisation of data

It is relevant to note that the 2019 Bill regulates 3 categories of data which are as follows:

1. Personal Data (PD): all data related to a natural person directly and indirectly identifiable, in relation to any characteristic, feature of the identity of such natural person, either online or offline, or combination of such features.
2. Sensitive Personal Data (SPD): sub-set of personal data which includes financial data, health data, data being in the nature of official identifier, sexual orientation, biometric data, genetic data, caste, tribe, religious or political belief.
3. Critical Personal Data (CPD): sub-set of personal data, but not currently defined. The Government has to notify rules setting out the definition of CPD.  

2019 Bill sets out certain specific compliances for SPD and CPD, such as data localization and restriction on processing of CPD, respectively. Further, industries which deal with collection of financial data, biometric and health data need to carefully examine the scope of 2019 Bill and the resultant compliances for collecting and processing of such specific data.   
 

Extra territorial application

2019 Bill will extend to processing of PD which is collected, disclosed, shared or processed in India by data  fiduciary/processor, or processing of PD by Government of India, Indian corporate entities or Indian citizens.
 

Apart from the aforementioned, the 2019 Bill also applies to processing of PD by entities located outside India, if PD is processed in connection with any business or activity of offering goods/services to individuals in India or profiling of data principals within India. Profiling refers to processing of data for analysing, predicting behaviour, attributes, interests of individual. The 2019 Bill excludes anonymised data.

 
However, the draft legislation in the present form has some open questions such as the meaning and scope of “carrying on business in India”. 

Cross border data transfer

The 2019 Bill imposes several restrictions on cross- border transfer of SPD and CPD. 2019 Bill prescribes that all SPD is to be stored in India, even if such data is transferred for processing outside India.

 
Transfer of SPD data can only be effected after seeking express consent of data principal and upon meeting any of the following conditions:

1. if transfer is made subject to a contract or intra-group schemes approved by Data Protection Authority; or
2. Indian Government prescribes a particular country/ organisation, subject to adequacy of data protection determination, for which transfer is permitted; or
3. Data Protection Authority approves particular transfer for specific purposes.
    

2019 Bill generally bars the transfer of CPD data outside India, allowing for such transfer outside India only for limited purposes such as in relation to health or emergency services or to a country which qualifies under the adequacy determination.

 
With restrictions on cross-border data transfer- coupled with the detailed conditions and manner in which consent is to be obtained,  one needs to be well versed with the final law including rules and regulations to ensure a seamless process of this transition.

Summary

The 2019 Bill appears to be modelled in principle around the GDPR. To such extent, GDPR compliant organisations would have lesser challenges in implementing the Indian framework, as may be applicable. 
However, the 2019 Bill has certain key variations from GDPR such as the fact that categorisation of data under the 2019 Bill is more explicit than GDPR; there is also likely to be a difference in the frame work around deciding whether or not data can leave the country.

 
Therefore a careful detailed analysis of the legislation in India will be required once the legislation is in its final form, and likely additional points for consideration and compliances (if any) would need to be examined. A GDPR based health check of practises of the Indian operations continues to be a useful tool, ensuring compliance under European norms and laying the structures for upcoming regulations in India.