Monday, July 30, 2018
Gov’t of India Publishes Draft Data Protection Bill
On July 27, India’s Ministry of Electronics and Information Technology (MEIT) published the country’s long-awaited draft data protection bill, prepared by the committee chaired by former Supreme Court Justice B.N. Srikrishna. A lengthy commentary on the nature of privacy and the draft legislation, released at the same time, described the approach taken in the bill as a “template for the developing world” and a “Fourth Way” triangulating between the data protection models advanced by the US, the EU and China. At the same time, the draft appears to be closely aligned with the GDPR, being comprehensive rather than sectoral; establishing a data protection authority; requiring the appointment of data protection officers; requiring data protection impact assessments when needed; including cross-border data transfer restrictions; requiring notification of data breaches to the DPA and if warranted to individuals; including the right to data portability and the right to be forgotten; and setting fines of up to 4% of annual turnover. A notable divergence from the GDPR is the bill’s requirements for data localization with respect to financial and health data. Following a period of public consultation and likely adjustments as a result, the Personal Data Protection Bill will be submitted to the Parliament of India.