India

On September 22, 2020, the Federal Trade Commission (“FTC”) hosted “Data to Go,” a virtual workshop on data portability. The workshop convened experts from civil society, academia, and industry to discuss the potential risks as well as consumer and competition benefits of data portability, as well as issues and best practices related to its implementation in legislative and industry-led initiatives. The discussions emphasized five key themes regarding data portability efforts in the U.S. and globally.
Continue Reading Five Key Themes from the FTC’s Data Portability Workshop

More than a year after the Government of India’s Committee of Experts released a draft Personal Data Protection Bill in July 2018 (the “2018 draft”), India is one step closer to passing a comprehensive data privacy law.  On December 11, 2019, India’s Minister for Electronics and Information Technology introduced an updated draft of Personal Data Protection Bill (the “Bill”) in the Lok Sabha, India’s lower house of Parliament. The Bill was referred to a Joint Select Committee composed of parliamentarians from both the lower and upper houses.

The Joint Select Committee is due to report back to the Lok Sabha before the 2020 Budget Session of Parliament, which, although dates have not yet been set, usually runs from February to March.  At that point, the government is likely to table the Bill for discussion in Parliament either in the Budget Session or in the Monsoon session, which usually runs between July and September.

The updated Bill retains the core structure of the previous draft, which closely adheres to the model provided by the GDPR.  There are, however, noteworthy changes in this most recent Bill, including to some of the more controversial features of the 2018 draft, such as data localization requirements and provisions carrying criminal penalties.  The Bill also includes requirements that did not appear in the first draft, such as an enhanced right to erasure, obligations that attach to “anonymous data,” and specific requirements for “social media intermediaries.”  A new requirement for rulemaking by the data protection authority (“DPA”) could provide additional opportunities for public consultation.

Below we summarize the key changes in this most recent draft of the Bill.  To see all the changes from the 2018 draft, please click here.
Continue Reading India Proposes Updated Personal Data Protection Bill

Key Provisions in India’s Draft Personal Data Bill

This post is a follow-up to our earlier post on the release of India’s draft personal data protection bill. In this post, we go into greater detail about the bill’s provisions and flag issues for companies worldwide that may process data in India or provide goods or services in India.

High Level Insights

The General Data Protection Regulation (GDPR) as a Model: For the most part, the Committee’s recommendations use GDPR as a model. The draft bill grants individual rights, institutes heightened consent requirements, mandates organizational practices such as DPIAs, and imposes stiff penalties for non-compliance. However, the draft bill coins new terminology, referring to GDPR’s “data subjects” as “data principals” and GDPR’s “data controllers” as “data fiduciaries.”

Data Localization: The Committee includes a data localization provision that requires copies of Indian personal data be stored in India. Likewise, it erects barriers that make it more difficult to transfer personal data out of India.

The Central Role of the Data Protection Authority (DPA): As in GDPR, the draft bill would introduce a DPA with the power to interpret regulations, investigate businesses, and issue fines, injunctions, and even criminal penalties. But unlike GDPR, the Committee’s proposal empowers the DPA to engage in rulemaking. For example, the DPA could identify new categories of sensitive data, specify new lawful bases for processing, and decide whether a particular business needs to hire a DPO, perform a DPIA, or undergo a data audit. As such, the DPA’s leadership and structure may have a substantial impact on the scope of India’s data protection regime.Continue Reading Key Provisions in India’s Draft Personal Data Bill

On 24th of August 2011, the Government of India’s Ministry of Communications & Information Technology finally issued clarification on the application of the 2011 Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules (the “Rules”). As we blogged here, much ambiguity has surrounded the
Continue Reading Indian Government Clarifies New Privacy Rules: Outsourcing Arrangements Exempted

 

This April, the Indian government quietly passed the 2011 Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules (the “Rules”). Among other things, the Rules require written consent for the processing of “sensitive personal information” in India and that organizations processing personal information in India implement reasonable security practices and procedures. As drafted, the Rules apply to organizations that process personal information, including sensitive personal information, in India regardless of where the information originates or whether the information relates to Indian or non-Indian citizens. The Rules also do not differentiate between “data controller” and “data processor” and thus it is likely that they apply to all organizations engaging in data processing activities in India, whether or not the processing is performed on behalf of other organizations.

Much ambiguity surrounds the interpretation and practical effect of the Rules, and the Indian government had not provided any clarification on the Rules at the time of writing, although it is expected to respond to questions posed by industry stakeholders on the meaning of certain provisions in the coming weeks.

The key features of the Rules, and their potential application, are discussed below:

1. Definition of Sensitive Personal Information. The Rules provide an exhaustive definition of “sensitive personal data”, which is similar to the definition contained in the EU Privacy Directive. This definition encompasses passwords, financial information, physical, physiological and mental health condition, sexual orientation, medical records and history, and biometric information. The definition excludes any information that is freely available or in the public domain.

2. Privacy Policy Requirement. Organizations based in India are required to adopt a privacy policy to cover their processing of personal information and sensitive personal information. The Rules set forth certain disclosure obligations for such policies, e.g., disclosure of the categories of information collected and the purposes of the processing.Continue Reading India’s New Privacy Rules: Potential Impact on Outsourcing Arrangements