Stephen Mathias from Kochhar & Co. reports that on December 16, 2021, the Indian Joint Parliamentary Committee (the “JPC”) submitted its report on India’s draft Data Protection Bill (the “Bill”). The Bill is now likely to be passed by Parliament in its next session, beginning in February 2022, and likely will enter into force in the first half of 2022. In its report, the JPC recommended a phased approach to implementing the law, beginning with the appointment of various government officers, such as the Data Protection Authority (“DPA”), with full implementation of the law to be completed within 24 months. The JPC’s report also contained a revised draft of the Bill. Certain key aspects of the revised Bill are summarized below.
Many of the proposed changes to the Bill in the revised draft relate to the powers of the government and issues to be considered by the DPA in making its decisions. One key change relates to notification to the DPA within 72 hours of discovery of a data breach, which the Bill makes mandatory for every breach affecting Indian data subjects. Following notification, the DPA would decide whether data subjects would need to be notified of the data breach.
In its report, the JPC also expanded the scope of the Bill to cover non-personal data, though in a limited way. Most provisions of the Bill still apply only to personal data. A provision in an earlier proposed version of the Bill allowing the government to regulate the sharing of non-personal data remains intact. The purpose of this provision is to enable the government to better deliver services and formulate evidence-based policies. Notably, certain enabling powers may allow the government to expand the scope of the regulation of non-personal data in the future.
Additionally, data localization requirements remain unchanged in the Bill. “Critical data” must be processed locally in India. “Sensitive personal data” (including biometric information, government identifiers and financial information) may be transferred out of India, but a copy of the data must be stored in India.
Another key aspect of the Bill is its consent requirement. Under the Bill, consent to data processing is required in most cases, except for in very limited circumstances, such as to comply with court orders and statutory requirements and in the event of medical emergencies. The Bill does not provide for a legitimate interest ground for data processing. While the DPA has the power to recognize “reasonable purposes” for data processing, businesses cannot rely on such recognition in lieu of obtaining consent from data subjects. Instead, this ground would be available only after the DPA provides notice of what it considers to be “reasonable purposes.”
Lastly, the Bill imposes further technical obligations on businesses. For example, the Bill requires a data controller to explain the fairness of its use of algorithms or methodologies. This may implicate the intellectual property rights or trade secrets of data controllers. Additionally, the definition of “personal data” under the Bill includes inferred data in certain circumstances.
Overall, the Bill goes beyond the GDPR in certain respects and will present new compliance considerations for many businesses subject to the law.