12 March 2020

What Is in India’s Sweeping Personal Data Protection Bill?

ANIRUDH BURMAN, SUYASH RAI

This publication was produced under Carnegie India’s Technology and Society Program. For details on the program’s funding, please visit the Carnegie India website. The views expressed in this piece are solely those of the author.

WHAT IS THE PERSONAL DATA PROTECTION BILL?

Introduced in India’s parliament on December 11, 2019, the Personal Data Protection Bill sets rules for how personal data should be processed and stored, and lists people’s rights with respect to their personal information. It also proposes to create an independent new Indian regulatory authority, the Data Protection Authority (DPA), to carry out this law. The bill also sets out grounds for exemption.

WHO WILL HAVE TO COMPLY?

The bill imposes hefty new compliance requirements for data protection on most businesses in India.

Almost all businesses across India’s economy will have to meet the bill’s conditions. This will include not just e-commerce, social media, and IT companies, but also brick-and-mortar shops, real estate companies, hospitals, and pharmaceutical companies. The only exceptions will be “small entities” (businesses like small retailers that collect information manually and meet other conditions to be specified by the DPA).


Anirudh Burman is an associate fellow at Carnegie India. He works on key issues relating to public institutions, public administration, the administrative and regulatory state, and state capacity.

Some financial and telecommunications firms are already subject to privacy and confidentiality requirements set out by their sectoral regulators, so they already follow some practices required by the bill. But for all other businesses, these rules would be new.
WHAT IS IN THE BILL?

If the bill comes into force, businesses would have to tell users about their data collection practices and seek customers’ consent. They would have to collect and store evidence of the fact that such notice was given and consent was received. Because the bill gives consumers the right to withdraw their consent, businesses would also have to come up with systems to allow consumers to do so.

The bill gives consumers the right to access, correct, and erase their data. Businesses would have to create ways to allow consumers to do so.

The bill also allows consumers to transfer their data, including any inferences made by businesses based on such data, to other businesses. All companies would have to develop ways for consumers to do this.

The bill requires all businesses to make organizational changes to protect data better. These include privacy-by-design principles (an approach in which privacy is a key consideration in how the business is organized), security safeguards, and so on.

The bill also stipulates that all “sensitive personal data” be stored in India and that “critical personal data” not be transferred out of India. This will distort the market-driven decisions of businesses to access the best data storage services and force such data to be kept locally in India.

A group of “significant data fiduciaries”—people in charge of checking that data is stored fairly and responsibly—will have extra duties, such as carrying out data audits and appointing data protection officers.

Lastly, the bill also includes rules about nonpersonal data. Under the bill, the government can require any business to share valuable nonpersonal data (such as aggregate mobility data collected by apps like Google maps or Uber) with the government. The bill is silent on whether businesses will be compensated for their loss. This could have negative long-term consequences on innovation and economic growth.
WHAT ARE THE PENALTIES FOR NOT COMPLYING?

The bill gives the DPA the power to fine any business that does not comply with the bill or the regulations made by either the DPA or the government.

Suyash Rai is a fellow at Carnegie India. His research focuses on the political economy of economic reforms, and the performance of public institutions in India.

The maximum amount of penalties that can be imposed is 150 million Indian rupees (about $2.1 million), or 4 percent of the global turnover of the firm in the preceding financial year.
HOW DID THE BILL COME ABOUT?

Data privacy issues in India have been becoming more prominent over the past few years. The genesis of the bill lies in the landmark Puttaswamy v India. judgment, issued on August 24, 2017. In that ruling, India’s Supreme Court declared privacy was a fundamental right under the Constitution of India. On September 26, 2018, the Supreme Court asked the government to set robust data protection rules.

Around the same time that the Supreme Court was looking at evidence in the Puttaswamy v. India case, in the summer of 2017, the Indian government set up a committee of experts on data protection to examine the issues relating to data privacy, chaired by a retired Supreme Court judge, B. N. Srikrishna. The committee submitted a report a year later, and a draft bill. The current bill in parliament is a modified version of that draft bill.
HOW DOES THE NEW BILL IN PARLIAMENT DIFFER FROM THE OLDER DRAFT BILL?

The most important differences are the exemptions given to government agencies, the exemption for small entities (businesses that collect data manually), the criminalization of some actions, and the treatment of nonpersonal data (information that doesn’t contain any personal details). 

First, the new bill gives the Indian government much more leeway for exemption. The old bill allowed exemption to use personal data in the interests of national security, but only if this was authorized by parliament and deemed “necessary” and “proportionate.” The new bill allows the government to exempt its agencies from the law on much more broadly defined grounds.

Second, both versions of the bill allow exemptions for small businesses that look after customers’ personal information manually. Under the old bill, such businesses needed to meet three conditions, based on annual turnover; whether they shared personal data; and how much personal data they processed. But under the new bill, the new Data Protection Authority decides which small businesses qualify for exemption.

Third, the old bill listed several actions as criminal offenses. These included causing harm by obtaining, transferring, or selling personal data; and reidentifying and processing anonymous personal data without consent. Under the new bill, only the latter is a criminal offense, although other violations could also be penalized.

Fourth, the old bill did not cover nonpersonal data. The new bill allows the government to obtain and use nonpersonal data, in order to better deliver services or to develop evidence-based policies.

The final big difference relates to where personal information is stored. The old bill only required a copy of all personal data to be stored in India. The new bill mandates storing all sensitive personal data in India. It may be transferred abroad if needed for health or other emergency services, or if the government decides to permit it.
WHAT ARE THE DIFFERENCES BETWEEN INDIA’S NEW BILL AND THE EU’S DATA PROTECTION LAW, THE GDPR?

There are some major differences between the two.

First, the bill gives India’s central government the power to exempt any government agency from the bill’s requirements. This exemption can be given on grounds related to national security, national sovereignty, and public order.

While the GDPR offers EU member states similar escape clauses, they are tightly regulated by other EU directives. Without these safeguards, India’s bill potentially gives India’s central government the power to access individual data over and above existing Indian laws such as the Information Technology Act of 2000, which dealt with cyber crime and e-commerce.

Second, unlike the GDPR, India’s bill allows the government to order firms to share any of the nonpersonal data they collect with the government.

The bill says this is to improve the delivery of government services. But it does not explain how this data will be used, whether it will be shared with other private businesses, or whether any compensation will be paid for the use of this data.

Third, the GDPR does not require businesses to keep EU data within the EU. They can transfer it overseas, so long as they meet conditions such as standard contractual clauses on data protection, codes of conduct, or certification systems that are approved before the transfer.

The Indian bill allows the transfer of some personal data, but sensitive personal data can only be transferred outside India if it meets requirements that are similar to those of the GDPR. What’s more, this data can only be sent outside India to be processed; it cannot be stored outside India. This will create technical issues in delineating between categories of data that have to meet this requirement, and add to businesses’ compliance costs.