The increase in data protection regulation around the world has led to a number of different compliance requirements for companies handling data. Among the new laws on the horizon is India’s Personal Data Protection Bill. While the legislation has not yet been approved, the long-awaited measure is expected to go before legislators soon. The law’s approach is notable for its similarity to the European Union’s General Data Protection Regulation (GDPR), with requirements for notice, standard of consent, contracts with processors and rights of data principals (“data subjects” under the GDPR). However, it also contains notable variations, like the significance of consent and the imposition of data localization requirements. The law also creates a Data Protection Authority of India (DPAI), which will have the power to guide companies on permissible activities or initiate complaints against them.
While the law is likely to undergo changes before it is enacted, its fundamental structure and broad compliance obligations are expected to remain the same. Companies both inside and outside India will thus need to familiarize themselves with its requirements and begin preparing for how it will impact their data processing activities. In terms of compliance and the impact on companies, key features to keep in mind include:
The law brings territorial and extra-territorial data processing within its scope, so it applies wherever companies collect, share or otherwise process data on Indian soil. Second, in an important departure from the GDPR, any processing by an Indian company, an Indian citizen, the Indian state or any entity created or incorporated under an Indian law is within the scope of the law, regardless of location. Lastly, as with the GDPR, a company that is located outside India but that processes the information of data principals who are within the country falls within the scope of the law, provided the processing relates to offering goods or services to or profiling of the data principals in question. This applies whether the company is acting as a data fiduciary (“controller” under the GDPR) or a processor.
For example, a marketing services provider engaged by an Indian company undertaking data analytics of Indians is directly within the scope of the law. On the other hand, a non-Indian cloud service provider storing data for an Indian company is not, unless the processing relates to a business carried on in India. However, even here the law may continue to apply indirectly via the required contractual terms of the fiduciary, and via the cross-border transfer requirements if sensitive personal data is being stored.
2. Principles of Processing
The law lists fundamental principles of processing as basic obligations imposed on data fiduciaries. These include internationally-used principles like collection limitation, purpose limitation, storage limitation and data quality, as well as other precepts like not collecting more data than what is minimally required for the specific purpose at hand. Thus, as with the GDPR, a company with a website that collects data of Indians for marketing purposes, for example, must ensure its website is compliant by incorporating the required privacy notices and proper consent forms and adapting website forms to minimize data collection.
3. Lawful Basis of Processing: Consent and Exemptions to Consent
The Indian law deals with the lawful basis of processing a little differently from the GDPR. Here, consent will be the default lawful basis, unless the processing falls under one of the exemptions outlined under the law. These include processing by the state under a law, processing of personal data for employment purposes, processing because of an obligation under the law, and research activities. The DPAI will also define a broad category of “reasonable purposes,” including certain forms of processing such as for fraud prevention, credit scoring and when using publicly available data. For all others, consent will be required.
Further, the consent must match the GDPR standard that it is free, specific, informed, clear, and most importantly, capable of being withdrawn. Companies normally rely on a basis like “legitimate interests” under the GDPR rather than consent for a number of activities, including marketing, lead generation and data analytics. Under the Indian law, however, unless these activities are identified as an exempted “reasonable purpose,” companies should note that these will require consent, and that the data principals will have the right to withdraw the consent at any time.
While more clarity will come once the law is enacted, the exemptions are currently ambiguous in terms of scope. For instance, under the employment exemption, we can assume that general processing of materials like CVs and reference letters will be permitted as a recruitment activity. On the other hand, processing of sensitive personal information like health data for insurance or biometric data for attendance is explicitly excluded from the exemption, and thus will require explicit consent. However, it is unclear whether an activity like conducting an employee background check, which may include an invasive check of personal social media accounts or criminal records, will similarly be exempted or will require consent.
4. Consent Managers
The law introduces “consent managers,” a type of intermediary that will help data principals manage the consent given to data fiduciaries. They will play a crucial role because, in addition to giving, amending and withdrawing consent, they can also be used by data principals to exercise their rights under the law, like the rights to access and to erasure. In particular, the law deems a communication to a consent manager to be a communication to the fiduciary itself.
The actual model of how consent managers will function has not been clarified, leading to ambiguity about the implications for companies. The law specifies that consent managers are to be fiduciaries themselves, which operate via a transparent, accessible and interoperable platform. This indicates that the consent managers are likely to be independent entities, rather than employees appointed for this purpose.
Further clarity is required to address key logistical questions, such as whether a fiduciary can select the consent managers with whom all data principals must communicate, or whether data principals will have the freedom to select any consent manager of their choice for one or more data fiduciaries. While the latter is convenient and beneficial for data principals, it implies a sizable compliance burden for companies because, given the significant role of consent managers, companies will have to establish a proper, reliable and effective interface with all such consent managers. The former will be preferable for companies, particularly for those that manage a very large number of data principals.
5. Data Mirroring, Localization and Cross-Border Data Transfers
The law imposes restrictions for certain categories of data. All sensitive personal data is subject to data mirroring, meaning a copy of all biometric, religious, medical or financial data must be stored in India. Further, transfer of this data outside India will require compliance with transfer stipulations like an adequacy decision, contracts and intra-group schemes. Unlike under GDPR, these requirements do not apply to the transfer of personal data in general.
The Indian government will also identify certain categories of data as “critical personal data,” which may include biometric data, Aadhaar identification numbers or genetic data. This data is subject to data localization, meaning it can only be processed in India, including its collection, storage, transfer or disclosure. This requirement may be relaxed, however, if the privacy laws of the country to which the data is being transferred are adequate and the government sees no harm in the transfer.
These requirements are drawing the most attention from businesses around the world as they will entail major changes in how companies handle data. For instance, multinational companies that transfer and share huge amounts of employee, client, vendor and other data across borders will need to put procedures in place to identify and segregate the data and determine what data cannot be taken outside India, what will require a copy to be stored in India, and what will need to be entered into a cross-border transfer measure.
6. Significant Data Fiduciaries and Special Requirements
Companies that meet a certain threshold, such as the volume or sensitivity of the data processed, will be identified by the DPAI as significant data fiduciaries. These will be subject to more detailed compliance obligations such as hiring a data protection officer in India, carrying out data protection impact assessments and undergoing audits.
Special requirements will also be prescribed for social media intermediaries that meet a certain threshold that will be identified by the government with the DPAI. These include the mandatory requirement to provide users with the option to undergo an identity verification, and to publicly demonstrate such voluntary verification of users.
7. Data Trust Score and Certified Privacy-by-Design Policies
The law also gives fiduciaries an option to have their privacy-by-design policies certified, which they can also disclose publicly. Only policies that meet a specified standard will be eligible for certification, although the certification could be mandated for certain fiduciaries or processing activities.
An additional advantage of having a certified privacy-by-design policy is that such companies will be eligible to apply for a sandbox that has been proposed under the law. The sandbox will encourage innovation in new technology like artificial intelligence and machine learning by relaxing data processing restrictions around purpose, collection and storage limitations.
8. State Access to Anonymous, Non-Personal and Personal Data
The Indian government has retained a right to ask for anonymous and non-personal data. At present, there is no clarity about how to address company concerns about intellectual property rights, confidential data and trade secrets. It must be noted that a separate governmental committee is deliberating a law to govern non-personal data, although it is currently unclear how the laws will relate to each other. The government can also seek personal data under a national security exemption, which allows the relaxation of any or all provisions of the law.
9. Penalties and Criminal Offenses
Penalties under the law take the form of a two-tiered system, similar to the GDPR. For violations that are less severe or more procedural in nature, the penalty can be up to 50 million rupees (approximately $700,000) or 2% of the annual global turnover, whichever is higher. For more serious or substantive violations, the penalty can be as high as 100 million rupees (approximately $1.4 million) or 4% of the annual global turnover. Data principals are also entitled to seek compensation from a data fiduciary or a data processor.
The law also prescribes criminal offenses with a fine of 200,000 rupees (approximately $2,800) and imprisonment of three years for intentionally reidentifying de-identified data. Both private companies and the state can be held accountable for privacy violations.
Asheeta Regidi is an India-based lawyer specializing in technology and privacy laws. She currently heads fintech policy at Cashfree.