On September 22, 2020, the Federal Trade Commission (“FTC”) hosted “Data to Go,” a virtual workshop on data portability. The workshop convened experts from civil society, academia, and industry to discuss the potential risks as well as consumer and competition benefits of data portability, as well as issues and best practices related to its implementation in legislative and industry-led initiatives. The discussions emphasized five key themes regarding data portability efforts in the U.S. and globally.
Continue Reading Five Key Themes from the FTC’s Data Portability Workshop

Key Provisions in India’s Draft Personal Data Bill

This post is a follow-up to our earlier post on the release of India’s draft personal data protection bill. In this post, we go into greater detail about the bill’s provisions and flag issues for companies worldwide that may process data in India or provide goods or services in India.

High Level Insights

The General Data Protection Regulation (GDPR) as a Model: For the most part, the Committee’s recommendations use GDPR as a model. The draft bill grants individual rights, institutes heightened consent requirements, mandates organizational practices such as DPIAs, and imposes stiff penalties for non-compliance. However, the draft bill coins new terminology, referring to GDPR’s “data subjects” as “data principals” and GDPR’s “data controllers” as “data fiduciaries.”

Data Localization: The Committee includes a data localization provision that requires copies of Indian personal data be stored in India. Likewise, it erects barriers that make it more difficult to transfer personal data out of India.

The Central Role of the Data Protection Authority (DPA): As in GDPR, the draft bill would introduce a DPA with the power to interpret regulations, investigate businesses, and issue fines, injunctions, and even criminal penalties. But unlike GDPR, the Committee’s proposal empowers the DPA to engage in rulemaking. For example, the DPA could identify new categories of sensitive data, specify new lawful bases for processing, and decide whether a particular business needs to hire a DPO, perform a DPIA, or undergo a data audit. As such, the DPA’s leadership and structure may have a substantial impact on the scope of India’s data protection regime.Continue Reading Key Provisions in India’s Draft Personal Data Bill

On July 27, 2018, the Government of India’s Committee of Experts released a draft Protection of Personal Data Bill. Together with an accompanying report, the draft bill moves India one step closer towards enacting a comprehensive data protection regime.

Last year, the Supreme Court of India issued a landmark decision holding that privacy is a fundamental right under India’s Constitution. In that opinion, the Court invited the Government of India to formulate “a regime for data protection.” As a result, the Government established the Committee of Experts “to study various issues relating to data protection in India, make specific suggestions on principles underlying a data protection bill and draft such a bill.”

In November 2017, that Committee released a White Paper that outlined its views on data protection and solicited public comments. The draft bill incorporates those comments as well as the Committee’s own analysis.
Continue Reading India’s Committee of Experts Releases Draft Personal Data Protection Bill

On 24th of August 2011, the Government of India’s Ministry of Communications & Information Technology finally issued clarification on the application of the 2011 Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules (the “Rules”). As we blogged here, much ambiguity has surrounded the interpretation and effect of the


This April, the Indian government quietly passed the 2011 Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules (the “Rules”). Among other things, the Rules require written consent for the processing of “sensitive personal information” in India and that organizations processing personal information in India implement reasonable security practices and procedures. As drafted, the Rules apply to organizations that process personal information, including sensitive personal information, in India regardless of where the information originates or whether the information relates to Indian or non-Indian citizens. The Rules also do not differentiate between “data controller” and “data processor” and thus it is likely that they apply to all organizations engaging in data processing activities in India, whether or not the processing is performed on behalf of other organizations.

Much ambiguity surrounds the interpretation and practical effect of the Rules, and the Indian government had not provided any clarification on the Rules at the time of writing, although it is expected to respond to questions posed by industry stakeholders on the meaning of certain provisions in the coming weeks.

The key features of the Rules, and their potential application, are discussed below:

1. Definition of Sensitive Personal Information. The Rules provide an exhaustive definition of “sensitive personal data”, which is similar to the definition contained in the EU Privacy Directive. This definition encompasses passwords, financial information, physical, physiological and mental health condition, sexual orientation, medical records and history, and biometric information. The definition excludes any information that is freely available or in the public domain.

2. Privacy Policy Requirement. Organizations based in India are required to adopt a privacy policy to cover their processing of personal information and sensitive personal information. The Rules set forth certain disclosure obligations for such policies, e.g., disclosure of the categories of information collected and the purposes of the processing.Continue Reading India’s New Privacy Rules: Potential Impact on Outsourcing Arrangements