India has just announced a new comprehensive draft Personal Data Protection Act ("Act")1. The Act applies to companies worldwide, includes many requirements that are comparable to those contained in the EU General Data Protection Regulation and adds a broad data residency requirement similar to the one Russia introduced in 2015. It is likely to be enacted and go into force later this year or in 2019 (see "Legislative Timeline" below). With this Act, the Indian government responds to a mandate from the Indian Supreme Court, which had directed the government to enact comprehensive data protection legislation. We provide details below relating to some key aspects of the Act, and some immediate considerations for businesses impacted by the Act.
Key Aspects of the Act
- Terminology: Rather than using the GDPR's terminology, the Act refers to data controllers as "data fiduciaries" (who determine the purposes and means of processing personal data) and to data subjects as "data principals" (defined to mean "any natural person" which would include persons both within and outside India). Data processors (persons processing personal data on behalf of a data fiduciary) are still referred to as data processors. Similar to the GDPR, data fiduciaries are responsible for the activities of data processors. The Act protects the personal data of data principals (who may be located within or outside India). In the remainder of this alert we use the internationally more commonly used terms "data controller" and "data subject" in place of "data fiduciary" and "data principal," as those terms are more familiar to most readers.
- Broad Definition of Personal Data and Exemption for Anonymized Data: "Personal data" is broadly defined as data about or relating to a natural person. "Sensitive personal data" includes passwords, financial data, health data, sexual orientation, biometrics, and caste data, but this is not an exhaustive definition. However, the Act excludes "irreversibly" anonymized data from its requirements.
Broad Scope and Application to Data of Foreign Data Subjects Stored in India: The Act's scope is very broad. It applies to processing of personal data collected, disclosed, shared or otherwise processed within India. As the definition of "processing" includes mere storage of personal data, it would apply to the storage of the personal data of foreign data subjects in India, and this would trigger notice and other requirements for data controllers in respect of such personal data.
It also applies to data controllers and data processors outside India if processing is in connection with business carried out in India, or in connection with systematic offering of goods or services to data subjects in India, or in connection with activity which involves profiling of Indian data subjects. This would sweep in almost any entity with an Indian connection or which offers goods/services through a website in India for example.
Notice Requirements and Restrictions on Processing: Processing of both personal and sensitive personal data now requires a lawful processing basis. Permissible bases are specified in the Act for each category of data. Consent is a lawful basis for both personal data and sensitive personal data, but heightened information requirements apply for sensitive personal data. The Act also imposes notice requirements on data controllers relating to the collection and use of personal data. However, the Act allows data to be processed for a purpose "reasonably incidental" to the purpose for which it was collected. It also permits processing for "a reasonable purpose".
The Data Protection Authority established under the Act is expected to flesh out what these terms mean and what processing is permitted on these bases.
- Restrictions on Processing Personal Data Relating to Children: Data controllers are required to create mechanisms for age verification and parental consent to process the personal data of children, though they have some leeway in designing these mechanisms as the Act is not prescriptive with respect to such mechanisms. "Guardian" data controllers who operate commercial websites or online services "directed" at children or who process large volumes of personal data of children are barred from profiling, tracking, behavioral monitoring or targeted advertising directed at children and from other processing activities that can cause "significant harm" to children.
- GDPR Style Rights: The Act provides GDPR style rights to data subjects including a right to confirmation of data and access to data, data portability, right to be forgotten, as well as the right to correction of the data. However, these rights are not identical in scope to corresponding rights under the GDPR. For example, the "right to be forgotten" requires a data subject to submit a request to an adjudicating authority under the Act which weighs the request against various other factors before deciding whether to grant it. In practice, this means that data controllers are less likely to receive such requests "to be forgotten" compared to the corresponding right under the GDPR, or under the new California Consumer Privacy Act, both of which have no such adjudication process.
- Stringent Data Residency Requirements: The Act creates stringent data residency requirements. A copy of all personal data to which the law applies must be stored in India by the data controller (additional copies can be stored outside India). The government can also notify some categories of data which must be stored only in India. This would effectively compel the creation of Indian data centers for many businesses.
Cross Border Data Transfers Also Regulated: Cross border data transfers are only permitted through:
- standard contractual clauses blessed by the Data Protection Authority under the Act; or
- EU style adequacy decisions from the Indian government.
Potentially, additional consent of the data subject may be required, though it is unclear from the Act whether this is still needed if using one of the above.
- High Risk Data Controllers: The Data Protection Authority can classify data controllers as "significant" or high risk if they process large volumes of personal data, process sensitive personal data, and depending on turnover, risk of harm to data subjects, and a number of other factors. Heightened requirements apply to such "significant" data controllers- they have to conduct data protection impact assessments, comply with record keeping requirements, conduct data audits, and appoint a Data Protection Officer.
- Data Breach Notification Requirements: The Act creates a data breach notification requirement for all data controllers. The Data Protection Authority has to be informed of any breach where "breach is likely to cause harm to any data subject". The notification has to be made "as soon as possible", but the Data Protection Authority may specify a notification period under the Act. The Data Protection Authority then determines if data subject has to be informed. The Data Protection Authority can also order other remedial action, and post details of breach on its website.
GDPR Style Penalties: The Act also has GDPR style penalties. A fine of approximately USD730,000 or 2% of global turnover for, among other items:
- failures to notify data breaches;
- failure to meet obligations as a significant data controller.
Similarly, there is a fine of approximately USD2.7 million or 4% of global turnover for:
- failure to provide notices to data subjects along with a legitimate basis for processing;
- unlawful cross border data transfers;
- processing the data of children in contravention of the Act.
There are also criminal penalties for sale of personal data in contravention of law which results in significant harm to the data subject and for re-identification of anonymized data.
The Act now has to be approved by the IT Ministry, then placed before the Union (Federal) cabinet, and once approved by it, placed before Parliament. All this should take a few months, if not more. India's Minister of Law, Justice, Electronics and Information Technology, Ravi Shankar Prasad promoted the new Act at a town hall and panel discussion hosted by the US-India Business Council and the Hewett Foundation on 27 August 2018 in Palo Alto with Justice Cuellar of the California Supreme Court, Raj Sabhlok, president of Zoho Corporation and Lothar Determann, one of the authors of this article.2 Minister Prasad emphasized that the Act is still in draft form and could see changes before it is enacted. Minister Prasad also encouraged all stakeholders to share their views on the draft Act.
Enactment is unlikely to be stalled long-term as the government had been asked to enact a comprehensive data protection law under an August 2017 Indian Supreme Court judgment holding that the right to privacy was a fundamental right under the Indian Constitution, and would potentially be in contempt of court for failing to enact the law.
The substantive compliance provisions of the Act will go into effect 18 months after it is enacted, providing a lead in time during which the Data Protection Authority will also provide guidelines with respect to compliance and enforcement.
What Should Businesses Do Right Now
- Review existing data sharing and processing practices, and prepare a roadmap for compliance and implementation; as anyone who has worked on the GDPR knows, 18 months is not a large amount of time to prepare for compliance with an entirely new regulatory regime.
- Integrate compliance measures and task lists with existing efforts to address requirements of the Act, the EU GDPR, the California Consumer Privacy Act of 2018 and other global data protection, privacy and security laws holistically.
- Prepare data maps, inventories, or other records of all personal data covered by the Act to assess what personal data in their control is covered, add newly required information to privacy policies, and prepare for data access, correction, and portability requests.
- Consider data minimization and retention duties and identify legal bases for processing of personal data under the Act.
- Consider how to comply with some of the Act's substantive requirements such as those relating to data subject rights, data residency and mechanisms for cross-border data transfers.
- Evaluate agreements with data processors to see if they meet the accountability requirements for data controllers under the Act.
- Monitor legislative developments and implementation guidance to be provided by the Data Protection Authority under the Act.
1. We are referring to the law as an "Act" even though strictly speaking it is a "bill" until it is signed into law, at which point it will become the Personal Data Protection Act. A copy of the draft Personal Data Protection Act is available at http://meity.gov.in/writereaddata/files/Personal_Data_Protection_Bill%2C2018_0.pdf. As it is still in draft form, it may still see changes prior to it being signed into law.
2. For a description of the panel discussion which was held at the Hewlett Foundation in Palo Alto see Ritu Jha, India's digital data debated at town hall, Indica News (29 August 2018), https://indicanews.com/2018/08/29/indias-digital-data-debated-at-town-hall/. The Minister was in California to meet with tech leaders and discuss data privacy and security issues. See Press Trust of India, Need to work together to better manage challenges like data privacy, security issues: Ravi Shankar Prasad, The Economic Times (28 August 2018), https://economictimes.indiatimes.com/news/economy/policy/need-to-work-together-to-better-manage-challenges-like-data-privacy-security-issues-ravi-shankar-prasad/articleshow/65583364.cms.