Confidently erase data in active environments and from used IT assets.
Boost services throughout the device lifecycle—from first sale to end-of-life.
Expedite processes, recover more marketable product, and increase services.
Home » Resources » India Data Privacy: Is a Countrywide Law Finally on the Horizon?
In the wrong hands, breached personal and private data can be used to forge documents, infiltrate company networks, ruin reputations, empty financial accounts, and more. It’s understandable, then, that there’s been a growing interest for a countrywide, personal data protection act in India. So why was India’s Personal Data Protection Bill withdrawn?
George Janssen heads up the Blancco Technology Group legal department, a position he’s held since 2018. In this role, George is responsible for the day-to-day legal operations of the Blancco group worldwide, including data privacy and compliance. With significant legal experience in international organizations focused on technology and software, George specializes in data privacy and data governance, data classification, intellectual property management and technology partnership.
Jurisdictions of every size are realizing how valuable personal data is, how often it can be breached, and how much it requires protection. According to IBM, the average cost of a data breach reached an all-time high in 2022, putting enterprises worldwide on increased alert.
Consumers and business owners increasingly experience how widely personal data can be used by advertisers.
They are also more aware of how breached data can be used by spammers and identity thieves: In the wrong hands, breached personal and private data can be used to forge documents, infiltrate company networks, ruin reputations, empty financial accounts, and other damaging and costly actions.
It’s understandable, then, that there’s been a growing interest for a countrywide, personal data protection act in India.
The right to privacy has already been recognized as an intrinsic element of the right to life and personal liberty under Article 21 of the Indian Constitution. Currently, however, while India has some data regulation under the Information Technology Act of 2000, it lacks a comprehensive and uniform law for data protection.
As a result, India’s Personal Data Protection Bill 2019 (PDPB) was introduced (PDF) in December 2019 to the lower house of the Indian Parliament, Lok Sabha. Two years after its introduction, the Joint Parliamentary Committee under the Lok Sabha tabled a report on the Bill and set forth 93 recommendations. The Bill, if it had been enacted, would have established a new federal data protection authority of India, which would oversee regulations and enforce its provisions.
However, as of August 3, 2022, the Bill has been withdrawn (PDF). It is no longer being considered in Parliament. Instead, a new bill is expected to be presented for public consultation in the next few months.
According to the report submitted by the committee in late 2021 (PDF), many amendments were suggested by legislators to make the PDPB more comprehensive and adaptive to the ever-increasing processing of digital data in India and the world.
But why was India’s Personal Data Protection Bill dropped?
The original bill:
Thus, to create a framework that really balances the legitimate interest of businesses with appropriate security and privacy for Indian residents, the PDPB was withdrawn in anticipation of a better version—one that would be on par with other global data privacy laws and principles.
The anticipated draft of India’s new data protection bill is expected to include the following key tenets:
The new bill is expected to be like the EU GDPR in many aspects such as data subject rights and principles of accountability and responsibility with regard to protection of personal data.
The new bill is expected to differ from the GDPR in areas such as
The timeline for public consultations is yet to be announced. The Indian government is, however, anticipating a new draft bill in the winter session 2022 of the parliament. Thus, sometime in 2023 is the earliest that any data protection law in India would come into force.
The question is not if, but when India will have a comprehensive national data privacy law.
Considering the vast size of the Indian IT asset market, the growth of the digital economy in India, and the exponential growth of personal data being processed, companies in India need to prepare now for the new regulation.
Such preparation must include evaluating how personal data or information is treated when it has reached end of life and is no longer needed.
This includes taking a careful look at sanitizing dark, redundant, obsolete, and trivial (ROT) data throughout each organizations’ network.
It also means putting in the appropriate and secure processes that remove all data when drives and devices are retired, sent out for repair, or otherwise made ready for disposal.
With punitive consequences for data breaches, additional accountability, and specific data storage requirements, it will be more important than ever in India to have the proper data sanitization measures in place. This will mean adopting practices that verify and certify that data has been permanently rendered inaccessible.
If data localization mandates are indeed included, a new India data protection law could also affect global organizations doing business in the country. Such data storage mandates could mean migrating data from different locations to meet the data localization requirements. Those mandates may also require implementing ongoing remote erasure across data center environments.
To comply with such requirements means businesses will need to evaluate their end-of-life data management practices. This applies to both active networks and how they dispose of data storage drives, computers, mobile devices, servers, and other hardware.
Regulations often require actions that would be best practice even if a law weren’t in place.
For instance, the GDPR requires that personal data be destroyed after it’s no longer needed.
But even without such a requirement, a company that regularly gets rid of unnecessary data is less vulnerable to breaches. It also experiences less damage to sensitive personal and business data if a breach occurs.
Organizations who regularly destroy end-of-life data also have less data storage needs and often gain efficiencies in other areas of data management. Likewise, erasing data on decommissioned drives and devices prevents that data from being accessed by unauthorized users down the road.
These benefits can be realized before a law goes into effect. In fact, businesses that consider their end-of-life data practices today will be better prepared to comply with any data destruction guidance specified in the new India data protection bill.
Catch our on-demand webinar, “Reducing Data Bloat, Security Risk & Violation Vulnerability.”