India’s First Major Personal Data Protection Bill

Photo of the Indian flag.
Photo taken by Naveed Ahmed

On the 11th of December 2019, a new bill was tabled in Indian parliament and is the country’s first attempt to introduce legislative mechanisms for protection of personal data, creating a new level of Data Protection of Authority within the nation. Much like the European equivalent, General Data Protection Regulation (GDPR), the Personal Data Protection Bill (PDPB), will regulate how processing of an individual’s personal data can be conducted. The PDPB shares many similarities with the GDPR. They both seek to:

  • Impose tough penalties on organisations that fail to comply with the regulation or abuse an individual’s personal data.
  • Provide additional rights and freedoms to data subjects.
  • Place accountability on organisations for protecting an individual’s personal data.

However, there are also some stark contrasts, with some facets being particularly contentious. Most notably is the extensive freedom that will be given to Government bodies, law enforcement agencies, and authorised third parties to access citizen data. As such, these government agencies will be essentially be exempt from any legal obligations. Naturally, this has led to some resistance with fair criticism highlighting the risk of data misuse through all this potentially unaccounted access to personal data. The flip side of this is that the Government would have more control of the data itself to better track malicious activities.

Despite these concerns, the Bill should be acknowledged as a step in the right direction as India begins building a culture of ‘digital trust’ in cyber oriented world we live in.

The PDPB is expected to be passed into official law sometime in 2020 and will inevitably affect foreign trading companies with significant impact with new obligations for conducting business with its citizens. For a complete break-down of the differences of the GDPR and the PDPB, Covington and Burling have produced this .pdf document.

It is interesting to note that the analysis of the differences by the comparison indicates that in some instances ‘major operational change likely to be required’. Therefore, it is recommended that if you are currently dealing with India, it is advised that you gain familiarity with the PDPB, as changes may be needed to the way that data is processed.

About Us: Tacita are GDPR compliance experts. Tacita help clients achieve and maintain GDPR compliance. Get in touch to explore our range of GDPR services including the Tacita GDPR Audit, GDPR Consultant Service and the GDPR Toolkit.

Share this article: