Unpacking the New Privacy Regime in India: The When, Who, What, and How?
More than 4 years after the Indian Supreme Court declared informational privacy to be a fundamental right, a new draft data privacy law for India is closer than ever. The process of expert review and industry consultations is (almost!) complete, with the Indian Parliament’s joint expert committee submitting its final report in December 2021.
While this report suggests substantial changes, the new data privacy legislation is finally coalescing in form and scope. Even absent the final legislative copy of the privacy bill, industry stakeholders can start evaluating how this new law will impact their business and activities.
A key to understanding this new law is to remember that it is very much inspired by the GDPR. The new Indian law mimics GDPR when it requires a ‘privacy by design’ architecture, sets up a central data protection authority, and mandates heavy fines for non-compliance! And, if this new bill has even a fraction of the seminal impact that GDPR had on European businesses back in 2016, we are looking at a law that will fundamentally change the way business is conducted in India.
With this in mind, here are answers to some basic questions about the new Indian law.
For reference, a copy of the Indian Parliamentary committee’s report, that contains the latest iteration of this law, can be found here.
When will the new Indian data privacy law come into force?
- The new draft law will likely be placed before the Indian Parliament for approval in early 2022. Given the criticality of this legislation, it should enjoy quick passage before both houses of Parliament. This law, like all Indian laws, will come into force after Parliamentary approval when it receives the Indian President’s ‘assent’, and is published in the Indian Government’s Official Gazette.
- Taking the first of its (many) cues from the GDPR, the final form of the Indian data privacy law too will provide a ‘grace period’ for implementation; the Parliamentary committee suggested a period of 24 months, or 2 years, from publication. By way of illustration, if the final law is notified in June 2022, it may be enforced (or enforced in stages) until June 2024.
- While this is a substantial period of time, you should evaluate at the outset how much time your organisation will need to comply. In some cases, this may involve root-and-branch change that may take as long, or even longer, to implement.
Who (and what) does this law apply to?
- Two useful definitions to start with here – ‘data fiduciaries’ and ‘data processors’. Like the GDPR concept of a ‘data controller’, a ‘data fiduciary’ is any entity or individual who determines the purpose and means of processing of personal data. ‘Data processor’ means anyone who processes personal data on behalf of a data fiduciary. At the most basic level, this new law applies to the data processing activities of data fiduciaries and data processors.
- What is regulated is the processing of personal data, sensitive personal data, and (following the Parliamentary committee’s recommendations) non-personal data as well. A part of this regulatory matrix is still unclear, since the Indian Government has been given the power to determine what is sensitive personal data and, more importantly, what is critical data.
- Conceptual Extent: This new law is intended to apply to any processing of personal data that is collected, stored, disclosed , shared or otherwise processed within the territory of India. This is, as you will see, a very wide definition. One issues that crops up immediately is of unintended consequences – will this new law, for instance, apply to EU data subjects’ data that is only stored in India by an IT service provider? There is no final clarity on this, though Indian IT service industry organisations have sought an exemption for such processing.
- Extra Territorial Application: The new law also has extra territorial application, in that it applies to data fiduciaries of not present within the territory of India, if their processing is in connection with business carried out in India, or any systematic activity in India, including profiling of data principals in India. This means that merely outsourcing any data processing activity outside of India will not impact the applicability of this law.
What will need to be done to comply with this law?
- Give Notice: Data fiduciaries are required to give notice to data principals before collecting their data, and the contents of this notice are prescribed. The very first thing, then, for a data fiduciary to do is to provide notice before data collection, or as soon as practicable if data is not sourced from the data principal directly.
- Take Consent: The basis and cornerstone of data processing in the new law is consent of the data principal. This consent has to be free, informed, specific, and clear, each of which items has been elaborated in the draft law. The exception to having to obtain consent is where there is a statutorily prescribed reasonable purpose involved, for example employer employee interactions.
- Retain only if Required: Data fiduciaries cannot retain personal data beyond the necessary purpose for which it is processed and it should be deleted at the end of such period. The personal data can be retained for longer only with the explicit consent of the data principal, or if required to comply with any applicable law.
- Special Protections for Children: As expected, special protections are mooted for children’s data. This is a sensitive area, and a potential compliance minefield given that any breach will have disproportionate negative effects. Processing children’s data has to be negotiated carefully, as the draft law is sometimes unclear; for instance, a data fiduciary is required to verify the age of a child and take parental consent before processing such child’s data. And, of course, harmful profiling, tracking, targeting of, or advertising to, children is prohibited.
- Data Principals’ Rights: Similar to the GDPR, a number of discrete rights have been provided to each data principal. These include the right to confirmation and access to personal data, right to correction and erasure, right to portability, and the right to object to processing. A number of such rights were not contemplated in the previous 2011 iteration of Indian privacy laws, and will need to be thought through when it comes to actual implementation (for e.g., data portability across fiduciaries).
- Restrictions on export outside India: There is a graded approach to transfer of personal data in the new law. Sensitive personal data can be transferred outside India (subject to contractual safeguards), but a copy is required to be stored within India as well. ‘Critical’ data can only be processed within India. The new law also imposes reporting and approval obligations, in certain cases of data export.
How will businesses comply with this new law?
- Prepare a ‘Privacy by Design’ Policy: Every data fiduciary is required to frame this policy, comprising managerial, organisational, business practice, and technical systems to identify and avoid harm to data principals, and also balancing the obligations and legitimate business interests of the data fiduciary with the interests of the data principals. From prior experience with similar policies under GDPR, this would be a bespoke exercise for every organisation, involving thinking through historical and future data practices and how they fit into the new law’s frameworks.
- Implement Security Safeguards: Data fiduciaries and data processors, alike, are required to implement security measures to protect data, including measures such as encryption. While no security standards have been prescribed thus far, the intent is that these should be adequate having regard to the likelihood and severity of harm that may result from such processing activities.
- Report Data Breaches: Data fiduciaries are required to report data breaches to the designated data protection authority within 72 hours, and where it is not possible to do so, then without undue delay. In an important departure from the GDPR, there is no requirement to inform the data principals of a breach; in fact, it is left to the data protection authority to direct a data fiduciary to report such breaches to the data principal.
- Engaging Data Processors: Data fiduciaries can only appoint data processors pursuant to a contract, and such data processors are required to process data only as per the instructions of the data fiduciary. Data processors cannot further subcontract without the prior approval of the data fiduciary.
- Additional Compliances for ‘Significant Data Fiduciaries’: Social media platforms and certain other data fiduciaries are designated as ‘significant’ based on the volume of data they process, or the sensitivity of such data (for example, data of children) and risk of potential harm.
a. These entities are required to undertake additional compliances, including performing data protection impact assessments when using new technologies or processing sensitive personal data such as genetic data. The contents of such impact assessment have been prescribed broadly.
b. Significant Data Fiduciaries are also required to maintain records in the prescribed form, including details of data protection impact assessments undertaken.
c. The policies and processing conduct of such entities is also to be audited annually by an independent data auditor. This is akin to independent financial auditors auditing the books of accounts of limited liability companies under company law. The data auditor, in this case, would review and confirm matters such as statutory notices, security safeguards, etc.
d. Finally, every significant data fiduciary is required to appoint a data protection officer. Such officer has to be a direct employee of such fiduciary, who is a ‘key managerial person’, as prescribed. Qualifications for DPOs have yet to be prescribed, but their role would include monitoring data processing activities, record keeping, grievance redressal, etc.
- Grievance Redressal: Every data fiduciary is required to put in place procedures to handle data principals’ grievances. Complaints can be made to a DPO in case of significant data fiduciaries, and in each other case to officers designated for this purpose. Complaints have to be resolved within 30 days of their receipt, failing which a complaint to the data protection authority may be filed.
- Penalties for non-compliance: Data fiduciaries could face penalties up to INR 5 crores or 2% of the worldwide turnover, whichever is higher, in case of a non-compliance. In case of egregious offences, this penalty may go up to INR 15 crores or 4% of the worldwide turnover of the data fiduciary. The re-identification of de-identified data personal data without the data principal’s consent is punishable with imprisonment and/ or fines. Additionally, a data principal is also entitled to seek compensation in case of any non-compliance.
Article provided by INPLP member: Vikram Jeet Singh and Prashant Mara (BTG legal, India)
Discover more about the INPLP and the INPLP-Members
Dr. Tobias Höllwarth (Managing Director INPLP)