India has taken another step towards realizing its dream of becoming a truly digital economy. Nearly a year after the landmark judgement by the Supreme Court of India that declared privacy as a fundamental right, the ‘Justice BN Srikrishna Committee’ (the Committee) released its first draft of the Personal Data Protection Bill (PDPB or the bill) on 27 July 2018.
Key highlights of the bill include:
- Data protection obligations maintaining transparency, record keeping, conducting DPIAs, appointing a Data Protection Officer (DPO), timely notification of breaches etc. imposed on the organization (called data fiduciaries/data processors) processing personal data of Indian residents (called data principals).
- Legal grounds on which the personal data and sensitive personal data of Indian residents (including children) could be processed defined.
- Rights provided to the data principals to give them the ability to control their personal data, which is being processed by the data fiduciaries, through rights such as the right to data portability and the right to be forgotten, similar to the ones provided to a data subject under GDPR.
- Measures such as privacy by design, notice, de-identification and encryption suggested to put in place for the data fiduciaries while processing personal data of the data principals to ensure transparency and accountability. While Indian organizations are at an equal footing with global standards for ensuring security of the data they process, realization of concepts such as privacy by design may require additional time and resource cost.
- OData localization introduced in the bill that mandates a copy of the personal data to be stored in servers/data centers in India. Certain categories of data (to be notified by the central government/ DPAI) termed as critical personal data shall only be processed in a server or data center located in India.