India has Proposed the First Draft of a Personal Data Protection Bill

The global trend for stricter consumer data privacy continues with India’s release of their first draft of a personal data protection bill. On July 27, 2018, India’s “Committee of Experts” released the first draft of the bill to the public. The bill was inspired by a 2017 Supreme Court of India decision where it was held that privacy is a fundamental constitutional right. The government then created the “Committee of Experts” to create a bill that would aim to protect Indian citizen’s data privacy.

The bill is similar to the General Data Protection Regulation (“the GDPR”) of the European Union.1 The key features of this bill include:

  • rights granted to “data principals” (Indian citizens) which include the right to access, data portability, and the right to be forgotten;
  • structuring a Data Protection Authority (“DPA”) and requiring organizations to hire Data Protection Officers (“DPO”);
  • mandating data localization; and
  • significant penalties, including fines of up to 4% of global annual turnover and criminal penalties for wanton, reckless or knowledge of violations.

In similar fashion to the GDPR, the proposed bill also applies to companies outside of India who are processing Indian citizens’ data. The bill includes several other features that are similar to those included in the GDPR, such as the rights granted to the citizens, the hiring of a DPO, the creation of a DPA, and the imposition of significant fines for violations. In other respects, however, the bill is distinct from the GDPR.

Unlike the GDPR, this bill requires companies to practice data localization. Data localization will require companies to store copies of any personal data they collect of Indian citizens in India. Another key difference is the proposal of criminal penalties.

The bill has been submitted to India’s Ministry of Electronics and Information Technology, where it will be reviewed before proceeding further. Our experienced attorneys at Dickie, McCamey & Chilcote, P.C. have advised clients on international and domestic data privacy compliance and will continue to provide updates on this latest development in the global trend for stricter data privacy.

1We have discussed the GDPR in greater detail in prior articles which can be found at the following URLs:
/Publication-New-Data-Protection-Regulation-in-the-European-Union and /Publication-The-General-Data-Protection-Regulation

The material on this site is for general informational purposes only and is not intended to be, and should not be construed to be, legal advice. There shall be no liability accepted as a result of any improper reliance on the material on this site. A qualified lawyer should always be consulted with regard to any specific legal issue or problem.