After decades of free reign to gather and use personal data, Earth’s second largest internet using population may soon be imposing data privacy rules. Ravi Shankar Prasad, India’s Telecom and IT minister, recently indicated that the Personal Data Protection Bill, 2018 (PDPB), will be “quickly” taken to Parliament for final amendments. The proposed Bill is inspired by the General Data Protection Regulations of the European Union (GDPR).
With over 500 million internet users and an e-commerce market second only to China, India offers extraordinary business opportunities to international internet companies. The PDPB changes the basic rules for companies to collect data from Indian citizens.
In August of 2017, the Supreme Court of India decided that the “right to privacy is protected as an intrinsic part” of the constitutional rights to life and personal liberty. This decision helped create movement toward national privacy legislation.
The PDPB is modeled after the GDPR, but there are significant differences between the Indian legislation and European law. For instance, PDPB does not give Indians the “right to be forgotten” which requires entities to completely delete data consumers have shared. The PDPB has a limited enumerated right which only allows individuals to restrict companies from using their data.
Another major difference is their respective approaches to data localization, the process by which a citizen’s information is restricted from leaving one’s home country for processing, storage and collection before, or instead of, being transferred internationally. Like the laws of China, Russia, and Saudi Arabia, PDPB requires companies to localize data. Even under the GDPR data can flow abroad with “adequate protections,” especially where an international company appoints a local EU representative.
Data localization is a polarizing concept. On one hand, India’s richest man, Reliance Chairman Mukesh Ambani, declared that Indian data should be owned exclusively by Indian citizens, and on the other, Facebook CEO Mark Zuckerberg calling data localization a dangerous precedent. Companies such as Airtel, Reliance, PhonePe, and Alibaba, have spoken up to support data localization efforts, others like Amazon, Microsoft, and Mastercard ardently oppose it.
And penalties for ignoring the Indian law are familiar and severe. The PDPB mirrors GDPR on penalties. Just like the GDPR, the draft bill prescribes differing ranges of penalties for contravention of different provisions. Some violations come with a maximum penalty of either Rs 5 crore ($727,450) or to 2% of the global turnover of a company in the previous year (whichever is higher). For other violations, such as non-compliance of the PDPB’s cross-border transfer provisions and consent and grounds of processing, penalties extend to Rs 15 crore ($2,184,525) or 4% of the global turnover in the previous financial year (whichever is higher).
Groundbreaking privacy laws are not without precedent from India. In 2000, India enacted the Information Technology Act (ITA). ITA provided elaborate procedures for certifying authorities and electronic signatures and created a civil offense for data theft. ITA also defined certain cyber crimes and the punishments attached to them. The enforcement that followed tended to focus on identity theft crimes, where there was unauthorized access to personal information and the use of the information for a personal gain or the victim’s detriment.
Companies gathering data in India do not need to change their procedures yet but should be watching carefully to know when the winds shift, and local servers become a necessity.