New legislation sets out to bring India in line with international best practice, but what will this look like in action?
ANALYSIS This year, India should become the latest large economy to introduce a comprehensive data privacy law.
Until now, the personal data of India’s population of 1.4 billion people has been protected by the IT Act 2000.
Although the act has been amended repeatedly since, there is a consensus in both the public and private sectors that India now needs specific personal data privacy legislation.
Moreover, the Indian authorities want to bring the country’s data protection law in line with international best practice, with the European Union’s General Data Protection Regulation (GDPR) as the preferred model.
The new law is currently being considered by a joint committee in India’s parliament, with the full legislation set to be implemented in the next two years.
What is the Personal Data Privacy Bill?
Both the IT Act and India’s Reasonable Security Practices and Procedures and Sensitive Personal Data or Information Rules 2011 (PDF), are now relatively dated, especially compared to ‘gold standard’ data protection legislation such as GDPR.
Lawmakers in India feel that existing laws put the nation at a disadvantage internationally and have failed to keep up with developments such as the digitization of commerce and services and the growth of social media.
“The Indian Personal Data Protection Bill (PDPB) is a proposal that came from the Srikrishna Committee to modernize the laws that govern personal data in India,” Nader Henein, VP analyst at research firm Gartner, tells The Daily Swig.
“Even though India recognizes the right to privacy within its constitution and there have been some amendments to the Information Technology Act (2000) that provide protections for the mishandling of personal information, there is no unified privacy law in place today.”
The reform process started in 2017, when a ruling in India’s Supreme Court declared that privacy was a fundamental right under the constitution.
In 2018 the court asked the government to create more robust data protection rules, and the PDP was first passed by India’s Parliament in 2019.
“Both industry and government felt that the absence of law tailored to provide privacy protections was detrimental on the international stage and within India as well,” says RV Raghu, director at Versatilist Consulting India, and member of the ISACA Emerging Trends Working Group.
“There is agreement both in the public and private sector that there is a need for laws such as the PDP that deal with personal data protection.”
India’s Data Privacy Bill is due to be implemented in 2022
When will India’s Data Privacy Bill be implemented?
At the moment, this is not entirely clear. A joint parliamentary committee is reviewing the 2019 legislation and has made recommendations for change, including having one data protection authority (DPA) for personal and non-personal data, a 72-hour period for breach disclosures, and potential penalties amounting to 4% of a company’s global turnover.
The joint parliamentary committee also set deadlines for implementation: the Data Protection Authority should be active within six months, registration of “data fiduciaries” within nine months, and all provisions of the Bill to be implemented within 24 months.
However, even this is not fixed – RV Raghu points out that the timetable will only be clear once the joint committee’s recommendations are voted on by Parliament.
The proposed law’s development has also been complex. Gartner’s Henein notes: “An initial draft was introduced in 2018, [and] a new revised draft emerged in 2019, which was then heavily amended by the committee.
“We have yet to see the latest iteration but there has been some very strong indication that it may be put to the vote during the winter session in Parliament, currently in session.”
How will the new law operate?
Lawmakers hope that the PDP will put Indian laws on a similar footing to those in developed markets, especially the EU, the UK, and the US. The PDP clearly draws on the GDPR as a starting point with features similar to its Data Protection Authority implementation, breach disclosure rules, and penalty regime.
“This will ensure that India has a standard set of rules and regulations with regards to data protection and governance,” Deepak Naik, vice president at cybersecurity firm Qualys, told The Daily Swig. This is deliberate, he says.
“There are synergies with those global standards like GDPR that will help in a lift and shift approach for global IT and social media companies without the fear of any regulatory action.
“There won’t be that same heavy burden of local customization that has to take place for the other larger markets like China, Russia, or Brazil.”
There are, though, some differences that organizations in India, or those that trade with India, will need to take into account.
The DPA, for example, is not independent, as data protection offices are in some competing economies – instead, its members will be chosen by India’s government.
Organizations that are viewed as ‘significant’ data fiduciaries will have to have their data- handling processes audited annually – these auditors will be selected from a government-approved list.
From a citizen’s point of view, individuals have a right of access to their data, and the right to have records deleted. They do not, currently, have a right not to be profiled as they do under the GDPR or the UK’s Data Protection Act.
And unusually, according to RV Raghu, the law will require the DPA to create a (privacy) sandbox for companies working with AI, machine learning, and other emerging technologies.
How will the PDP impact businesses?
The impact of the PDP Bill on international organizations which already comply with regulations such as the GDPR should be minimal. The Indian authorities have consciously set out to avoid excessive localisation.
For firms based in India, complying with the requirements of the PDP will bring them into line with international data protection best practice.
Even so, there are some national elements to the legislation that all organizations need to be aware of.
First and foremost is the requirement for DPA-approved independent audits. As yet it is not clear which organizations will need to do this, though it is likely that larger organizations and those processing significant volumes of data will need to comply.
Secondly, data localization requirements specify that either a copy of data is held in India or, for critical data, that it does not leave India at all. These rules should become clearer as implementation of the PDP Bill moves closer.
Social media companies will also have to comply with a clause requiring their users to verify their identities. Again, the exact way this clause will work is not yet clear.
“On a positive note, IT and social media giants will now have the confidence to host their global services in India rather than outside the country,” notes Deepak Naik at Qualys. “They will be able to deploy a compliance framework that is similar or equivalent to the countries being serviced.”
How can companies ensure compliance?
Compliance will depend on organizations knowing their applications and IT systems, where they collect and process data, and why.
“To achieve this, companies will have to know all their infrastructure, be able to define their security deployments, and keep that infrastructure up to date and secure over time,” says Deepak Naik at Qualys.
ISACA expert RV Raghu agrees. “Businesses need to start with the basics such as clarity on which data are being collected and why, how the data are being processed and who has access to them,” he says.