India Data Privacy: Is a Countrywide Law Finally on the Horizon?

Sep 28, 2022 Blog Article

In the wrong hands, breached personal and private data can be used to forge documents, infiltrate company networks, ruin reputations, empty financial accounts, and more. It’s understandable, then, that there’s been a growing interest for a countrywide, personal data protection act in India. So why was India’s Personal Data Protection Bill withdrawn?

George Janssen, Blancco Group Legal Counsel

George Janssen George Janssen heads up the Blancco Technology Group legal department, a position he’s held since 2018. In this role, George is responsible for the day-to-day legal operations of the Blancco group worldwide, including data privacy and compliance. With significant legal experience in international organizations focused on technology and software, George specializes in data privacy and data governance, data classification, intellectual property management and technology partnership.

A global concern for data privacy and protection

Jurisdictions of every size are realizing how valuable personal data is, how often it can be breached, and how much it requires protection. According to IBM, the average cost of a data breach reached an all-time high in 2022, putting enterprises worldwide on increased alert.

Consumers and business owners increasingly experience how widely personal data can be used by advertisers.

They are also more aware of how breached data can be used by spammers and identity thieves: In the wrong hands, breached personal and private data can be used to forge documents, infiltrate company networks, ruin reputations, empty financial accounts, and other damaging and costly actions.

It’s understandable, then, that there’s been a growing interest for a countrywide, personal data protection act in India.

The Personal Data Protection Bill in India

The right to privacy has already been recognized as an intrinsic element of the right to life and personal liberty under Article 21 of the Indian Constitution. Currently, however, while India has some data regulation under the Information Technology Act of 2000, it lacks a comprehensive and uniform law for data protection.

As a result, India’s Personal Data Protection Bill 2019 (PDPB) was introduced (PDF) in December 2019 to the lower house of the Indian Parliament, Lok Sabha. Two years after its introduction, the Joint Parliamentary Committee under the Lok Sabha tabled a report on the Bill and set forth 93 recommendations. The Bill, if it had been enacted, would have established a new federal data protection authority of India, which would oversee regulations and enforce its provisions.

However, as of August 3, 2022, the Bill has been withdrawn (PDF). It is no longer being considered in Parliament. Instead, a new bill is expected to be presented for public consultation in the next few months.

Why Was India’s Personal Data Protection Bill Withdrawn?

According to the report submitted by the committee in late 2021 (PDF), many amendments were suggested by legislators to make the PDPB more comprehensive and adaptive to the ever-increasing processing of digital data in India and the world.

But why was India’s Personal Data Protection Bill dropped?

The original bill:

Thus, to create a framework that really balances the legitimate interest of businesses with appropriate security and privacy for Indian residents, the PDPB was withdrawn in anticipation of a better version—one that would be on par with other global data privacy laws and principles.

What’s next for India data privacy and protection regulations?

A new personal data protection bill

The anticipated draft of India’s new data protection bill is expected to include the following key tenets:

  1. Material Scope of Application: Only electronic data will be governed under this new bill.
  2. Non-Personal Data: Both personal and non-personal data are to be brought within the scope of the bill.
  3. Criminal Penalties: Data breaches shall be considered as serious offenses under India law and subject to significant penalties and criminal prosecution.
  4. Data Localization: This regards data residency and territorial restrictions. For instance, any storage of sensitive personal data must remain in India, any processing of (critical) personal data has to occur only within the territory of India.
  5. Accountability and Transparency Practices: The responsibility of data protection and the transparency of processing activities would rest squarely on the data controllers and data processors.
  6. Timeline for Implementation: Companies would be given a period of two years to comply with the legislation once the new bill goes into effect.

How would the new Indian data regulations compare to the EU GDPR?

The new bill is expected to be like the EU GDPR in many aspects such as data subject rights and principles of accountability and responsibility with regard to protection of personal data.

The new bill is expected to differ from the GDPR in areas such as

Need to be GDPR Compliant? Download How Does Blancco Help Organizations Comply with the EU General Data Protection Regulation?

Timeline for the new India data protection bill

The timeline for public consultations is yet to be announced. The Indian government is, however, anticipating a new draft bill in the winter session 2022 of the parliament. Thus, sometime in 2023 is the earliest that any data protection law in India would come into force.

How can Blancco help India businesses?

Anticipating future data sanitization requirements

The question is not if, but when India will have a comprehensive national data privacy law.

Considering the vast size of the Indian IT asset market, the growth of the digital economy in India, and the exponential growth of personal data being processed, companies in India need to prepare now for the new regulation.

Such preparation must include evaluating how personal data or information is treated when it has reached end of life and is no longer needed.

This includes taking a careful look at sanitizing dark, redundant, obsolete, and trivial (ROT) data throughout each organizations’ network.

It also means putting in the appropriate and secure processes that remove all data when drives and devices are retired, sent out for repair, or otherwise made ready for disposal.

With punitive consequences for data breaches, additional accountability, and specific data storage requirements, it will be more important than ever in India to have the proper data sanitization measures in place. This will mean adopting practices that verify and certify that data has been permanently rendered inaccessible.

Read how Blancco met the provisions of the original bill: How Blancco Helps Organizations Comply with India’s Personal Data Protection Bill

If data localization mandates are indeed included, a new India data protection law could also affect global organizations doing business in the country. Such data storage mandates could mean migrating data from different locations to meet the data localization requirements. Those mandates may also require implementing ongoing remote erasure across data center environments.

To comply with such requirements means businesses will need to evaluate their end-of-life data management practices. This applies to both active networks and how they dispose of data storage drives, computers, mobile devices, servers, and other hardware.

Data sanitization now—before a data protection bill is passed

Regulations often require actions that would be best practice even if a law weren’t in place.

For instance, the GDPR requires that personal data be destroyed after it’s no longer needed.

But even without such a requirement, a company that regularly gets rid of unnecessary data is less vulnerable to breaches. It also experiences less damage to sensitive personal and business data if a breach occurs.

Organizations who regularly destroy end-of-life data also have less data storage needs and often gain efficiencies in other areas of data management. Likewise, erasing data on decommissioned drives and devices prevents that data from being accessed by unauthorized users down the road.

These benefits can be realized before a law goes into effect. In fact, businesses that consider their end-of-life data practices today will be better prepared to comply with any data destruction guidance specified in the new India data protection bill.

Learn how data erasure protects Indian businesses.

Catch our on-demand webinar, “Reducing Data Bloat, Security Risk & Violation Vulnerability.”