Draft Personal Data Protection BillDecember 2018
India’s proposed Personal Data Protection Bill adopts European concepts of data rights (calling individuals “data principals” and organizations that hold data “data fiduciaries”) and establishes a Data Protection Authority to audit and enforce. The Bill:
- Grants individual rights to data access, data portability and to be forgotten.
- Softens the GDPR’s confusing and often impractical “consent” obligations.
- Proposes strict national security provisions that would give the government extraordinary search and seizure power, and impose burdensome storage requirements and cross-border data transfer restrictions.
The Bill’s generally reasonable consent rules and data protections are overwhelmed by significantly burdensome and costly data storage and transfer provisions and apparently unfettered law enforcement powers. The Bill also fails to sufficiently exempt small businesses – which we fear will hurt competition and innovation.
India’s Draft Personal Data Protection Bill mirrors many of the core principles of Europe’s GDPR, but provides for simpler notice-based opt-out “consent”. However, the Bill also creates significant burdens on Indian businesses (and global businesses operating in India) by imposing strict “data localization” standards that require expensive new cloud storage operations and restrict cross-border data transfers. The core features of the Bill are:
- Notice and opt-out framework. Most collection and use of non-sensitive personal data is permitted under a notice and opt-out framework (called “informed” consent).
- Opt-in framework for sensitive data. Explicit affirmative consent is generally required for collection and use of sensitive data, including passwords, financial, health, biometric, religious beliefs, sexual orientation, and caste/tribe status;
- Access and deletion rights. Individuals have the right to access and in limited circumstances to require deletion of data;
- Localization. Burdensome “data localization” requirements;
- Cross-border transfer restrictions. Cross-border transfers are prohibited unless government pre-approves through a mechanism that is not defined in the Bill;
- Broad law enforcement powers. The Bill makes it relatively easy for law enforcement to search, seize and examine materials.
- Significant Data Fiduciaries. “Significant Data Fiduciaries” will be organizations that collect/handle a great deal of data or very sensitive data, or that conduct large-scale data profiling. SFDs will be required to (a) register with the India Data Protection Authority, (b) perform a risk-based data protection assessment designed to manage, minimize, and mitigate potential harm, (c) have privacy practices audited annually, and (d) appoint a data protection officer.
The most burdensome aspects of the bill are the localization requirement and cross-border transfer restrictions which impose substantial obligations and costs. Specifically, the Bill requires businesses to store one copy of all personal data in India, and arguably requires all sensitive data to be stored only in India. Additionally, the Bill permits cross-border data transfers only to pre-approved countries or where the transfer is specifically approved (via a mechanism that is not defined in the Bill).
The other issue of very significant concern is the broad law enforcement discretion to search, seize, and examine equipment, devices and other materials containing personal data. Authorities can initiate searches and seizures upon a mere “reasonable belief” of a likely violation or future violation of the bill – creating substantial risk of law enforcement abuse.
Clear Terms: Terminology should be clear to avoid confusion, inconsistency and disputes. [Score: 6/10]
Specific Harms: Legislation should focus on specific harms and outcomes. [Score: 6/10]
Helpful Processes: Required processes and notices should be clearly defined and helpful. [Score: 6/10]
Not Retroactive: Legislation should not be retroactive – new rules should not apply to previously lawfully collected data. [Score: 7/10]
Not Harmful: Legislation should not inhibit beneficial data models and uses. [Score: 6/10]
Free Speech: Legislation should not inhibit freedom of expression or government transparency. [Score: 4/10]
Simple Consents: Consent standards should be clear for organizations and promote clarity for consumers. [Score: 7/10]
International Commerce: International commerce and cooperation should not be inhibited. [Score: 3/10]
Fair Enforcement: Enforcement provisions should be responsible and trustworthy; not chilling or anti-competitive. [Score: 2/10]
Small Enterprises: Small organizations should not be prejudiced by impractical or anti-competitive burdens. [Score: 2/10]
“9-10” means the legislation thoughtfully accounts for the concern.
“7-8” means that, with adjustments, it can likely account for the concern.
“5-6” means it is neutral on the matter, or that any concerns can be readily cured or mitigated.
“3-4” means that causes confusion or concern, but not in as widespread a manner as a “1” rating.
“1-2” means that it is poorly drafted or considered, and likely generates more confusion or problems than it cures.