Electronic data protection in India is currently governed by the Indian penal code, the information Technology Act 2000 – IT Act Amendment 2008, and therefore the Information Technology Rules, first introduced in 2011. The non-public Data Protection Act (PDPA) emerged from a Supreme Court ruling in 2017 that found privacy to be a fundamental right, and therefore the new changes replace an initial draft produced in 2018.

In its latest version, the PDPA, which can govern how personal information is handled by business and government bodies within India, highlights, specifically, how technology companies must manage the information of Indian citizens and the way they collect and process the same. The bill, while requiring sensitive data to stay on servers within India’s territory, at the same time permits non-sensitive data to be stored outside the country with certain conditions set by the PDPA. The scope of sensitive or critical data –which is to be stored locally – is defined by the Indian government and ensured to be followed through out.

 

Who Should Comply?

Many new compliance requirements are imposed by the bill on most businesses in India for data protection. Almost every business in the India’s economy should meet the bill’s conditions set within the PDPA. This may include not just e-commerce, social media, and IT companies, but also property companies, hospitals, and pharmaceutical domains. The sole exceptions are going to be “small entities” (businesses like small retailers that collect information manually and meet other conditions to be specified by the PDPA).

Some financial and telecommunications firms are already subject to privacy and confidentiality requirements taken off by their sectoral regulators so that they already follow some practices required by the bill. Except for all other businesses, these rules would be new and a tug-of-war to make sure compliance for the same.

 

Penalties for Non – Compliance With PDPA – GDPR

The bill gives the PDPA the facility to fine any business that doesn’t adhere to the bill or the regulations made by either the PDPA or the govt of the Republic of India.

A maximum of 150 million Indian rupees (which would be about $2.1 million) or 4 percent of the worldwide turnover of the firm can be the amount of penalty that may be imposed within the preceding twelve months as per the most recent revision.

So far, the Indian Government has not imposed fines on any organization for the PDPA since the act is in pipeline.

In case of GDPR, the French National Commission on Informatics and Liberty or CNIL on 21 January 2019 fined Google with a €50 million fine. This can be the largest GDPR fine ever collected to the current date issued for violation of:

  • Information related to the location where personal data is gathered from the data subject – Article 13,
  • Information to be provided where personal data hasn’t been obtained from the information subject – Article 14,
  • Lawfulness of processing – Article 6,
  • Principles regarding the processing of non-public data – Article 5

This fine was imposed on Google for the lack of transparency by the organization on the way how they were collecting and harvesting data.

 

Other Similar Data Protection Laws

As time passes, we will see many countries turning out with their privacy laws to ensure data privacy and that they hold the monopoly for data of their citizens in transit and at rest. Few data protection laws are mentioned below.

  1. Brazil – Brazil’s Lei Geral de Proteçao de Dados (LGPD)
  2. Australia – the Privacy Amendment (Notifiable Data Breaches) to Australia’s Privacy Act
  3. USA – while there’s currently no data privacy law applicable to any or all organizations on the federal level, every state within the Union has its own data privacy laws for compliance
  4. Japan – Japan’s Act on Protection of private Information
  5. South Korea-South Korea’s Personal Information Protection Act
  6. Thailand-Thailand Personal Data Protection Act (PDPA) – May 2019

 

How PDPA is different from GDPR?

There are some major differences between the two. First, the bill gives India’s central government the ability to exempt any administrative body from the bill’s requirements. This exemption may be given on the grounds associated with national security, national sovereignty, and public order.

While the GDPR offers EU member states similar escape clauses, they’re tightly regulated by other EU directives. Without these safeguards, India’s bill potentially gives India’s central government the facility to access individual data over and above existing Indian laws like the knowledge Technology Act of 2000, which prohibited cyber-crimes and e-commerce.

Second, unlike the GDPR, the Indian bill enables the govt to ask organizations to share any non-personal data gathered by them with the govt. The bill says this is often to boost the delivery of state services. But it doesn’t explain how this data is going to be used, whether it’ll be shared with other private businesses or any compensation is going to be obtained using this data.

Third, the GDPR doesn’t require businesses to keep EU citizens’ data within the EU. They can transfer it overseas when they meet conditions like standard contractual clauses on data protection, codes of conduct, or certification systems that are approved before the transfer.

The Indian bill allows the transfer of some personal data, but sensitive personal data can only be transferred outside India if it meets requirements that are kind of like those of the GDPR. What’s more, this data can only be sent outside India to be processed; it can’t be stored outside India. This may create technical issues in delineating between categories of information that must meet this requirement and boost businesses’ compliance costs.

 

References:

  1. https://portswigger.net/daily-swig/indias-answer-to-gdpr-data-protection-legislation-set-to-pass-this-year
  2. file:///F:/Blogs/Personal-Data-Protection-Bill-2019.pdf
  3. https://www.wipo.int/edocs/lexdocs/laws/en/in/in098en.pdf
  4. https://www.meity.gov.in/content/information-technology-act-2000
  5. https://carnegieindia.org/2020/03/09/what-is-in-india-s-sweeping-personal-data-protection-bill-pub-80985
  6. https://dataprivacymanager.net/5-biggest-gdpr-fines-so-far-2020/
  7. https://insights.comforte.com/countries-with-gdpr-like-data-privacy-laws

 

Author,

Omkar Gaikwad,

Audit & Compliance Team,

Varutra Consulting Pvt. Ltd.