DATA PROTECTION POLICY ANALYSIS
India: Draft Personal Data Protection Bill
- Grants individual rights to data access, data portability and to be forgotten.
- Softens the GDPR’s confusing and often impractical “consent” obligations.
- Proposes strict national security provisions that would give the government extraordinary search and seizure power, and impose burdensome storage requirements and cross-border data transfer restrictions.
- Notice and opt-out framework. Most collection and use of non-sensitive personal data is permitted under a notice and opt-out framework (called “informed” consent).
- Opt-in framework for sensitive data. Explicit affirmative consent is generally required for collection and use of sensitive data, including passwords, financial, health, biometric, religious beliefs, sexual orientation, and caste/tribe status;
- Access and deletion rights. Individuals have the right to access and in limited circumstances to require deletion of data;
- Localization. Burdensome “data localization” requirements;
- Cross-border transfer restrictions. Cross-border transfers are prohibited unless government pre-approves through a mechanism that is not defined in the Bill;
- Broad law enforcement powers. The Bill makes it relatively easy for law enforcement to search, seize and examine materials.
- Significant Data Fiduciaries. “Significant Data Fiduciaries” will be organizations that collect/handle a great deal of data or very sensitive data, or that conduct large-scale data profiling. SFDs will be required to (a) register with the India Data Protection Authority, (b) perform a risk-based data protection assessment designed to manage, minimize, and mitigate potential harm, (c) have privacy practices audited annually, and (d) appoint a data protection officer.
The most burdensome aspects of the bill are the localization requirement and cross-border transfer restrictions which impose substantial obligations and costs. Specifically, the Bill requires businesses to store one copy of all personal data in India, and arguably requires all sensitive data to be stored only in India. Additionally, the Bill permits cross-border data transfers only to pre-approved countries or where the transfer is specifically approved (via a mechanism that is not defined in the Bill).
The other issue of very significant concern is the broad law enforcement discretion to search, seize, and examine equipment, devices and other materials containing personal data. Authorities can initiate searches and seizures upon a mere “reasonable belief” of a likely violation or future violation of the bill – creating substantial risk of law enforcement abuse.