India’s data protection regime: Are you ready for the change?

What are the opportunities and risks for Chinese investors once the personal Data Protection Bill 2019 is approved?

With more than 560 million users, India is now the second-largest online market in the world after China. With increasing internet penetration, debates around data theft and privacy have come to the forefront, and data protection has become a national priority.

The Supreme Court of India elevated “right to privacy” to the status of a fundamental right under the Constitution of India when it delivered its judgment in Justice KS Puttaswamy (retd) & Anr v Union of India and Ors on 24 August 2017. Almost three years later, the wait for India’s first comprehensive legislation to regulate data is drawing to an end.

Existing privacy obligations in India are contained in the Information Technology Act, 2000, and deal with sensitive personal data or information including financial, physical, health, biometric information, etc. The law prescribes civil and criminal sanctions for non-compliance with privacy obligations. The proposed legislation is awaiting approval from parliament as the Personal Data Protection (PDP) Bill 2019. The PDP bill is largely modelled along the lines of the EU’s General Data Protection Regulation (GDPR), which came into force in May 2018, with one significant difference being the requirement for localization of data and strict restrictions on the cross-border transfer of data.

The PDP bill recognises three kinds of data: (1) personal data (which is wide enough to include any and all data relating to a natural person that could identify him/her); (2) sensitive personal data (SPD) such as financial, health, sexual orientation and biometrics; and (3) critical personal data (not defined under the PDP bill at present). It also empowers the data principals – defined as a natural person to whom the personal data relates – by conferring on them the right to confirmation and access, correction and erasure, data portability, and the right to be forgotten.

The entities recognised under the PDP bill are data processor (similar to the processor concept of GDPR), data fiduciary (similar to the data controller concept of GDPR), and significant data fiduciary, which is a class of data fiduciary. The PDP bill also proposes the establishment of a specialized regulator, the Data Protection Authority of India (DPA), conferred with vast powers for the purposes of inter alia protection of privacy of individuals, and regulation of personal data such as laying down regulations for protection of rights of data principals, standards of anonymization, and notification of data breach.