An introduction to India’s new privacy regime

Vikram Jeet Singh

BTG Legal, New Delhi

vikram@btglegal.com

More than four years after India’s Supreme Court declared privacy of information to be a fundamental right, a new draft data privacy law is closer than ever. The process of expert review and industry consultations is almost complete, with the Indian parliament’s joint expert committee submitting its final report in December 2021.

While this report suggests substantial changes, the new data privacy legislation is finally coalescing in form and scope. Although the final legislative copy of the privacy bill is awaited, industry stakeholders can start evaluating how this new law will affect their business and activities.

A key to understanding this new law is to remember that it is very much inspired by the European Union’s General Data Protection Regulation (GDPR). The new law mimics GDPR in that it requires a ‘privacy by design’ architecture, sets up a central data protection authority and mandates heavy fines for non-compliance. Moreover, if this new bill results in even a fraction of the seminal impact that GDPR had on EU businesses back in 2016, we are looking at a law that will fundamentally change the way business is conducted in India.

With this in mind, here are answers to some basic questions about the new law.[1]

When will the new data privacy law come into force?

The new draft law is likely to be placed for approval before the Indian parliament later in 2022. Given the importance of the legislation, it should enjoy a quick passage before both houses of parliament. This law, like all India’s laws, will come into force after parliamentary approval, when it receives the President’s ‘assent’, and is published in the government’s Official Gazette.

Taking the first of its (many) cues from the GDPR, the final form of the new data privacy law will provide a ‘grace period’ for implementation; the parliamentary committee suggested a period of 24 months, or two years, from publication. By way of illustration, if the final law is notified in June 2022, it may be enforced (or enforced in stages) until June 2024.

While this is a substantial period of time, businesses should evaluate at the outset how much time their organisation will need to comply. In some cases, this may involve root-and-branch change that may take as long, or even longer, to implement than the grace period.

Who (and what) does this law apply to?

There are to useful definitions to start with here: ‘data fiduciaries’ and ‘data processors’. Like the GDPR concept of a ‘data controller’, a ‘data fiduciary’ is any entity or individual who determines the purpose and means of processing of personal data. ‘Data processor’ means anyone who processes personal data on behalf of a data fiduciary. At the most basic level, this new law applies to the data processing activities of data fiduciaries and data processors.

What is regulated is the processing of personal data, sensitive personal data and (following the parliamentary committee’s recommendations) non-personal data as well. A part of this regulatory matrix is still unclear, since the government has been given the power to determine what is sensitive personal data and, more importantly, what is critical data.

The new law is intended to apply to any processing of personal data that is collected, stored, disclosed, shared or otherwise processed within the India’s territory. This is, as will be seen, a very wide definition. One issue that crops up immediately is that of unintended consequences – will this new law, for instance, apply to EU data subjects’ data that is only stored in India by an IT service provider? There is no final clarity on this, although India’s IT service industry organisations have sought an exemption for such processing.

The new law also has extra territorial application, in that it applies to data fiduciaries of not present within the territory of India, if their processing is in connection with business carried out in India, or any systematic activity, including profiling of data principals in India. This means that merely outsourcing any data processing activity abroad will not affect the applicability of this law.

What will need to be done to comply with this law?

Give notice

Data fiduciaries will be required to give notice to data principals before collecting their data, and the contents of this notice are prescribed. The very first action for a data fiduciary to take is to provide notice before data collection, or as soon as practicable if data is not sourced directly from the data principal.

Take consent

The basis and cornerstone of data processing in the new law is the consent of the data principal. This consent must be free, informed, specific and clear, each of which has been elaborated in the draft law. The exception to having to obtain consent is where there is a statutorily prescribed reasonable purpose involved, for example employer/employee interactions.

Retain only if required

Data fiduciaries cannot retain personal data beyond the necessary purpose for which it is processed and it should be deleted at the end of such a period. The personal data can only be retained for longer with the explicit consent of the data principal, or if required to comply with any applicable law.

Special protections for children

As expected, special protections are proposed for children’s data. This is a sensitive area, and a potential compliance minefield given that any breach will have disproportionate negative consequences. Processing children’s data has to be negotiated carefully, as the draft law is sometimes unclear. For instance, a data fiduciary is required to verify the age of a child and obtain parental consent before processing that child’s data. Harmful profiling, tracking, targeting of, or advertising to, children is prohibited.

Data principals’ rights

Similar to the GDPR, a number of discrete rights have been provided to each data principal. These include the right to confirmation and access to personal data, right to correction and erasure, right to portability, and the right to object to processing. A number of such rights were not contemplated in the previous 2011 iteration of privacy laws, and will need to be thought through when it comes to actual implementation (eg, data portability across fiduciaries).

Restrictions on export abroad

There is a graded approach to the transfer of personal data in the new law. Sensitive personal data can be transferred abroad (subject to contractual safeguards), but a copy is also required to be stored in India. ‘Critical’ data can only be processed in India. The new law also imposes reporting and approval obligations, in certain cases of data export.

How can businesses comply with this new law?

Prepare a ‘privacy by design’ policy

Every data fiduciary is required to frame this policy, comprising managerial, organisational, business practice and technical systems to identify and avoid harm to data principals, and also balancing the obligations and legitimate business interests of the data fiduciary with the interests of the data principals. From previous experience with similar policies under GDPR, this would be a bespoke exercise for every organisation, involving thinking through past and future data practices and how they fit into the new law’s frameworks.

Implement security safeguards

Data fiduciaries and data processors, alike, are required to implement security measures to protect data, including measures such as encryption. While no security standards have yet been prescribed, the intent is that these should be adequate having regard to the likelihood and severity of harm that may result from such processing activities.

Report data breaches

Data fiduciaries are required to report data breaches to the designated data protection authority within 72 hours, and where it is not possible to do so, then without undue delay. In an important departure from the GDPR, there is no requirement to inform the data principals of a breach; in fact, it is left to the data protection authority to direct a data fiduciary to report such breaches to the data principal.

Engaging data processors

Data fiduciaries can only appoint data processors pursuant to a contract, and such data processors are only required to process data according to the data fiduciary’s instructions. Data processors cannot subcontract further without the prior approval of the data fiduciary.

Additional compliances for ‘significant data fiduciaries’

Social media platforms and certain other data fiduciaries are designated as ‘significant’ based on the volume of data they process, or the sensitivity of such data (eg, children’s data) and risk of potential harm.

These entities are required to undertake additional compliances, including performing data protection impact assessments when using new technologies or processing sensitive personal data such as genetic data. The contents of such impact assessment have been broadly prescribed. Significant data fiduciaries are also required to maintain records in the prescribed form, including details of data protection impact assessments undertaken.

The policies and processing conduct of such entities is also to be audited annually by an independent data auditor. This is similar to independent financial auditors auditing the books of accounts of limited liability companies under company law. The data auditor, in this case, would review and confirm matters such as statutory notices, security safeguards, etc.

Finally, every significant data fiduciary is required to appoint a data protection officer. The officer has to be a direct employee of the fiduciary, who is a ‘key managerial person’, as prescribed. Qualifications for DPOs have yet to be prescribed, but their role would include monitoring data processing activities, record keeping, grievance redress, etc.

Grievance redress

Every data fiduciary is required to put in place procedures to handle data principals’ grievances. Complaints can be made to a DPO in case of significant data fiduciaries, and in each other case to officers designated for this purpose. Complaints must be resolved within 30 days of their receipt, failing which, a complaint may be filed to the data protection authority.

Penalties for non-compliance

Data fiduciaries could face penalties up to INR50m (approximately $640,000) or two per cent of worldwide turnover, whichever is the greatest, in case of a non-compliance. In case of egregious offences, this penalty may go up to INR150m (approximately $1.9m) or four per cent of the data fiduciary’s worldwide turnover. The re-identification of de-identified data personal data without the data principal’s consent is punishable with imprisonment and/or fines. A data principal is also entitled to seek compensation in case of any non-compliance.