India has just passed draft language for its first ever separate data privacy law: The Personal Data Protection Bill 2018.
Data privacy is not an entirely new subject for India’s legislators – there were some data privacy provisions in the Information Technology Act of 2000, though strictly speaking, these were information security recommendations rather than prescriptions on the treatment of personal data, or the granting of rights to data subjects.
With India’s digital economy ranked second only to China, a dedicated data privacy legal framework was desperately needed, and the move is being welcomed by the international privacy community.
Indeed, the bill itself recognises that India must “create a collective culture that fosters a free and fair digital economy, respecting the informational privacy of individuals, and ensuring empowerment, progress and innovation with the growth of India’s digital economy.” A clear indicator that India recognised how it was not going to maintain its position in international trade if it did not acknowledge international expectation.
Most of the provisions we have grown to recognise in data privacy laws are present here in India’s draft law. For example, the privacy principles listed in GDPR largely re-occur. As do the roles and responsibilities of the three main parties to any data interaction – subjects, controllers and processors – although controllers are called “data fiduciaries” and subjects are termed “data principals”.
But the most interesting things about the draft law are the emphasis on consent over other lawful reasons for processing; data sovereignty; and the various carve outs for processing performed by the state.
Whilst many privacy activists are rightly concerned about those carve outs and the dilution of some individual rights when compared to GDPR, I’m going to focus here on one particular potential issue that could impact businesses when processing data that is in scope: data sovereignty.
Firstly, the data in scope is very wide-ranging, as “The Act applies to the… processing of personal data where such data has been collected, disclosed, shared or otherwise processed within the territory of India” – in other words, this does not just apply to Indian citizens’ data, but the data of any citizen of any nationality when processed in India.
Secondly, the new bill creates a requirement to retain a copy of all personal data in scope within India.
These two points combined will cause raised eyebrows in the board rooms of a lot of international companies with large centres in the country. Although the original outsourcing boom is over, there are of course still numerous businesses processing enormous volumes of personal data of citizens of all nationalities within India, the call centre industry being the obvious example.
Being mandated to copy that data and keep it within the country will firstly be a IT infrastructure burden, but could also potentially contradict other national and international privacy laws’ requirements for data minimisation.
Of course this is still a draft, so we shall have to see how the wording is finalised, but this is definitely an area to watch.
This is just one example of while it is undeniably a positive that increasing numbers of governments, industry bodies and other authorities are taking data privacy seriously, the variety of individual privacy regulations will inevitably create contradictions. Many businesses will likely require dedicated subject matter experts in both the processes required to abide by the myriad frameworks, and the IT infrastructure required to accommodate them.