Data security

India’s New Data Protection Law modelled after EU’s GDPR

Data Protection Bill raises confusion and controversy

India’s Union Minister of Electronics and Information Technology, Ravi Shankar Prasad, has announced that the bill regarding Data Protection has been finalised. The bill is expected to be heard in the Indian Parliament in June.

In its current form, the bill has raised considerable confusion, as there is concern among Indian boards of directors that it will slow the progress of the country’s IT industry.

The law will not, however, affect overall data processing, including that of Big Data, in any way, cautioned S. Gopalakrishnan, Joint Secretary, Ministry of Electronics and Information Technology, on April 8, 2019.

“The government will ensure that the law does not become an ‘unintended barrier’ to India’s growth in digital economy. The core focus of the bill is on the individual and how to protect his or her privacy based on consent. Anything else is irrelevant,” the official explained.

So reports that companies will be obliged to remake their entire data processing operations are entirely false. “Countries from across the world are coming to do business in India and vice versa. If too many speed breakers are put in place, it would make difficult to extract data,” Gopalakrishnan added.

Data Protection Bill is similar to GDPR

The Indian Supreme Court’s recognition of the ‘right to privacy’ as a fundamental right under the Constitution of India in August 2017.

The next step was the Data Protection Bill which was proposed in the same year. “The bill, which runs into 112 sections, comes with its own challenges and ambiguities,” says a report by PwC and The Associated Chambers of Commerce and Industry  of India (Assocham).

The bill will be applicable to all organisations based in India, and to those who make use of personal data from India wherever they may be in the world – these are defined as ‘data fiduciaries.’

“The bill, in this way, is a positive step in ensuring that a level playing field is established for Indian corporations as well as multinationals wanting to do business in India under the same privacy jurisdiction,” the report says. “It is in line with regulations that are currently prevalent, such as the EU’s General Data Protection Regulation (GDPR, (EU) 2016/679). It touches upon almost all the domains of personal data privacy such as collection limitation, fair and lawful processing, notices/consents, data subject rights, privacy by design, security safeguards, transfer of personal data, penalties, data quality, privacy incidents or breaches and children’s privacy. The bill has also identified the supporting regulatory and administrative framework for enabling the enforcement of its roll-out,” the report continues.

Penalties for non-compliance are severe

As the bill states:

“ Where the data fiduciary contravenes any of the following provisions, it shall be liable to a penalty which may extend up to five crore rupees (50 million rupees) ($7.51 million) or two per cent of its total worldwide turnover of the preceding financial year, whichever is higher, as applicable

(a) obligation to take prompt and appropriate action in response to a data security breach under section 32 of this Act;

(b) obligation to undertake a data protection impact assessment by a significant data fiduciary under section 33 of this Act;

(c) obligation to conduct a data audit by a significant data fiduciary under section 35 of this Act;

(d) appointment of a data protection officer by a significant data fiduciary under section 36 of this Act;

(e) failure to register with the Authority under sub-section (2) of section 38.”

Data Protection Bill Challenges and Ambiguities

But the bill comes “with its own challenges and ambiguities” as the PwC-Assocham report puts it.

The Data Localisation provisions pose a very controversial challenge. The bill requires that one copy of all personal data to which the law applies be stored on a server located in India. The bill also gives the Indian government the authority to classify information as “critical personal data,” which may only be stored within India.

“It is significant that this would broadly apply to any data, ‘collected, disclosed, shared, or otherwise processed within the territory of India,’ meaning, for example that it could capture all personal data provided by foreign entities to Indian IT companies for processing, even if such foreign entities do not process Indian citizens’ data,” as law firm WilmerHale points out.

There has been much objection to this provision, for example, the Indian IT sector’s trade association, NASSCOM, has criticised this provision, raising concerns that the “mandated localisation of all personal data… is likely to become a trade barrier” within India, disproportionately impacting smaller companies and start-ups.”

Provisions on anonymisation pose ambiguities

Then the provisions on anonymisation pose ambiguities. “The proposed bill explicitly states that it will not apply to the processing of anonymised data. However, organisations are required to apply the standards specified by the Data Protection Authority (DPA) for anonymisation. The exclusion of anonymised data will considerably bring down the obligations on entities (both in the private and public sector). In order to prevent harm to specific groups of individuals, the limitation of processing and publishing analysis of anonymised data should be evolved,” comments PwC-Assocham.

Legal experts also complain that the bill creates a regulatory challenge: The Data Protection Authority that will enforce the law is not sufficiently independent.

“The central government has significant control over the regulatory regime, and it is vulnerable to capture by industry,” warns Chinmayi Arun, assistant professor of Law at the National Law University in New Delhi.

“The draft bill gives the central government the power to appoint members of the data protection authority upon the recommendation of an outside committee. The appointment is for a term of five years, which seems much too short to give a new institution sufficient time to learn the ropes and gain the independence it needs to be an effective regulator. The central government also has the ability to remove members of the authority for reasons specified in the law.”

What boards of directors need to consider

The upcoming Indian Data Protection Law will place a heavy governance burden on boards who must implement compliance and make security improvements. Managing this requires both a reference source for good governance, and background on security protections. Diligent Governance Cloud, with its library of Diligent Insights and wealth of background material, along with its ability to accelerate discussions among board members and experts, can be a powerful tool to speed this implementation.

Diligent Governance Cloud: A reliable tool for achieving compliance

The Governance Cloud, the only integrated enterprise governance management solution that enables organisations to achieve best-in-class governance, is an ecosystem of software tools that digitises the various activities and tasks for the board of directors. As organisations grow more complex and regulations more stringent, the scope of governance responsibilities evolves. The Governance Cloud allows boards of directors to meet the demands in the boardroom and beyond with the ability to select the products they need that help them perform their best and work within their allotted budgets.

For more information, visit or to speak to a Governance Expert, request a demo.

Board Portal Buyer’s Guide

With the right Board Portal software, a board can improve corporate governance and efficiency while collaborating in a secure environment. With lots of board portal vendors to choose from, the whitepaper contains the most important questions to ask during your search, divided into five essential categories.

Featured Blog