The world’s largest democracy has Constitutional privacy protection, but no omnibus privacy law. The most prominent proposed privacy act looks like GDPR, with special data access rights reserved for the Indian government.
The lower house of India’s bicameral Parliament, Lok Sabha, introduced the Personal Data Protection Bill of 2019 (PDPB) last Wednesday and has been sent to a joint select committee. In 2018, the Supreme Court of India declared privacy a fundamental right under Article 21 of their Constitution, which speaks to the protection of life and personal liberty. Pursuant to this decision, Parliament is looking to codify the bounds of consumer privacy. The PDPB attempts to regulate the sharing of personal data, the processing of “sensitive” and “critical” personal data, and establish a Data Protection Authority of India (DPAI) for enforcement and regulations. The bill is significant in its reservation of data access for the central government, and watered down version of a data localization requirement.
Like many comprehensive privacy proposals, it promotes consent based data sharing, purpose limitation, and data minimization. Consumers are conferred certain rights that are also strikingly familiar to those following the GDPR and CCPA, including the ability to correct inaccurate data, erase data, update data, portability, and the restriction on disclosures and transfers.
But there is a significant difference in the PDPB and the GDPR and CCPA. The PDPB would grant the central government, in Section 35, to allow any government agency to bypass all privacy protections, with the only limitations being (i) a written order from the central government specifying the reasons for breaching privacy and (b) in a manner (procedures, safeguards and oversight mechanism) “as may be specified” in future. The 2018 draft of the PDPB only granted the central government exemptions for “the security of the State.” This reservation of power for central governments has been a matter of international concern for a long time. In October 2015, the Shrems adequacy decision eliminated the “Safe Harbor” on American processing of European data because the Court of Justice of the European Union believed that the United States federal government would have access to that information at will. Recently, United States senators from both major American parties have expressed concern over the increased popularity of the social media app TikTok because Chinese cybersecurity laws allow for them to get access to private data when they deem it critical.
The PDPB also eliminates the data localization requirement that was in the 2018 draft of the bill. The 2018 draft disallowed processing of “critical” personal data abroad and put rigorous regulatory oversight on “sensitive” personal data including explicit consent, contractual clause, approval of DPAI and central government permission. The new version only requires a similar rigor for “critical” and “sensitive” personal data. “Personal data” is defined as any characteristic, trait, attribute or other feature of the identity of a natural person, and “sensitive personal data” relates to financial data, health data, genetic and biometric data, caste, religious or political belief or affiliation etc. “Critical personal data” will be defined by the DPAI.
If the PDPB is to become law in its current iteration, all eyes will be on the international community in reacting to the easy access of the central government. And the watered down data localization requirement presents a minor victory for American and European entities that felt aggrieved by the original proposal.