Indian data privacy laws are in the process of being overhauled following the Indian Supreme Court's 2017 ruling, which held that informational privacy is a fundamental right. The first iteration of the proposed law was released in 2018; subsequently, a second iteration called the Personal Data Protection Bill 2019 (PDP Bill) was introduced in 2019 with some changes. Following its release in December 2019, the PDP Bill was referred to a joint parliamentary committee of the Indian Parliament (JPC) for its review and recommendations.
After nearly two years of discussions, the JPC placed its report before the Parliament on 16 December 2021. The report can be viewed here.
The report contains a detailed account of the regulatory intentions behind the new data privacy bill and deserves to be read in its entirety. The following are a few key recommendations proposed by the JPC:
- inclusion of non-personal data in scope - to avoid having multiple legislations and separate data protection authorities, the report proposes to include regulation of non-personal data within the provisions of the PDP Bill. A single data protection authority (DPA) will govern both non-personal data and personal data;
- data localisation - where existing personal data is held by entities outside of India, storing a copy of sensitive and critical data within India should be required. It is reiterated that government surveillance over such data will be subject to strict application of the principle of necessity;
- data protection officers (DPOs) - in addition to the existing requirement of being an Indian resident, the DPO should be "key managerial personnel" of the data collector and possess requisite domain expertise;
- clear consent - language of the draft provision pertaining to consent should be modified to clarify that the data subject's consent is to be obtained based on the context and conduct of collection, without any kind of implicit interferences;
- data collection through hardware products - this includes the formulation of a certification mechanism for emerging technologies (which are used to train systems based on artificial intelligence), digital and internet of things devices that collect personal data. Lab or testing mechanisms are to be set up across India to provide this facility, and devices or technologies that do not meet the criteria set out by the DPA are to be denied certification;
- social media platforms - all social media platforms that do not act as intermediaries, but exercise control on the visibility and target audience of content hosted on their platforms, are to be treated as "publishers" and held accountable for such content. Additionally, no social media platform is to be permitted to operate in India unless the parent company of such a platform has set up a physical office in India;
- phased implementation - the report recommends providing subject entities a period of two years from the date of enforcement of the law to undertake necessary changes to comply with the provisions of the PDP Bill; and
- data of children - data collectors that would be dealing exclusively with children's data must register with the DPA.
It should be noted that this version of the report and these recommendations may influence the final law passed by Parliament. As a next step, a fresh data privacy bill is expected to be tabled for discussion in the near future.
For further information on this topic please contact Vikram Jeet Singh or Kalindhi Bhatia at BTG Legal by telephone (+91 22 6177 2900) or email ([email protected] or [email protected]). The BTG Legal website can be accessed at www.btg-legal.com.