Data Protection in India
Sometimes, some companies needs to transfer our personal data to another country. There are some rules to respect for this kind of transfers, the country of destination must have an appropriate protection for personal data, if that is not the case, the transfer is prohibited. It’s the case of India which is recognized by the European commission as not having adequate data protection. Yet they have a legislation, let’s see what does it say?
Personal Data Protection Right of 2018
Data law is impacted by government-led projects such as the Aadhaar project or Digital India involving a massive data collection and processing. India currently has a law in application and a project phase in the field of data protection: The law on information technologies of 2000 and the personal data protection bill of 2018 and now 2019. In this article we will talk about the latter.
The first version in 2018 has been created following the meeting of a committee of experts, the Srikrishna Committee which wanted to create a data protection regime.
For example, here are some provisions of the text:
- Data fiduciaries must provide information to the data subject at the time it is collected, this collection must have a clear and legitimate purpose.
- The processing of personal data must be fair and reasonable and respect the privacy of individuals.
- In terms of the rights of the data subjects, there is the right of confirmation (that their personal data are processed), the right of access and the right of rectification.
- Concerning the rules for the international transfer and hosting of personal data outside India. “Data trusts” are required to keep at least one copy of the personal data in the database in India. Some “critical personal data” can only be processed and hosted in India, and can only be transferred outside of India in rare cases such as health services.
- For the sanction to the collection and processing of personal data in violation of the text are liable to a fine of a maximum amount of 150 million rupees or 4% of the turnover of the previous year.
There have been a number of criticisms of this bill, including the fact that there is an obligation to obtain the consent of the persons concerned that does not apply to the government if it is necessary for the functions of the state. Another problem is that the text requires Indian personal data to be stored in India (either completely or on a mirror server). However, in practice, this obligation to differentiate and store data in India is cumbersome and costly to set up for small and medium-sized enterprises.
Personal Data Protection Right of 2019
In December 2019 the Ministry of Electronics and Information Technology proposed a new version of this text to the lower house of the Indian Parliament. The updated bill retains the basic structure of the previous version.
There are a ferw changes like a dilution in data localization. Before, data fiduciaries had to leave a copy of all personal data in India. Now, only sensitive and critical data must be copied on Indian soil. Sensitive personal data relate to financial data, health data, genetic and biometric data, caste, religious or political. The data protection authority, the DPAI, also has more powers, such as the power to create and enforce regulations. Another major change is the integration of the right to be forgotten, to erase all our data.
Thi text cannot yet be considered complete, one aspect of cybersecurity is missing for example. We can nevertheless see an improvement which over the years will perhaps allow India to be considered as a safe country for our data.