The Indian Data Protection Bill (PDPB) and its impact on cross-border data transfers with EU companies
Since then, the country's government has been striving to create legislation that codifies and protects individuals' rights to data privacy.
The most recent bill was released in late 2022 and was tabled in parliament during the August 2023 monsoon session.
In this blog, we will discuss the main points of the bill and compare them to the GDPR.
Scope and objectives of the bill
Dhe Digital Personal Data Protection Bill (Hereinafter PDPB) was filed on August 3, 2023 with the Indiase Parliament. A 10-year development process preceded this submission. There was already submitted a much more comprehensive and prescriptive draft to Parliament in 2021, however, it was withdrawn and replaced by the current streamlined, principles-based draft that was introduced for consultation on November 18, 2022. A extensive consultation processs and there were some dozens of discussions at the highest levels of the ministry. The ministry of elektronics and information technology has ultimately the first foundations laid for the development and adoption of tailored Indian legislation that seeks to strike a balance between enabling easy business and protecting sovereign imperatives, civil rights and data protectionrming.
As a concise 33-page document written in simple language with several illustrations, the bill represents an important, almost anachronistic departure from dense and prescriptive approaches of the legislationand on the protection of personal data, such as the GDPR, which until now have been the focus. Some of the key targets and elements of the PDPB are as follows:
- the establishment of general ground rules, several elements of which, such as consent, purpose limitation and data minimization, were tightened during the consultation process;
- provide some guidance through delegated legislation on concepts such as the manner of parental consent and privacy notices. Other concepts such as reasonable security practices and technical and organizational measures are left open to interpretation by the authorized entities themselves;
- creation of a special body, the Data Protection Board, to handle unresolved complaints and potentially impose material fines with recommendations to ban applications and services from repeat offenders;
- establishing appeals to the Telecom Disputes Settlement and Appellate Tribunal, and then the Supreme Court. The bill provides for the creation of a rich source of case law surrounding privacy, which is essentially a constitutional, fundamental right.
Protection and Balance for Data Processing in an Online World
The bill provides that it applies to “the processing of digital personal data within India where such data collected online, or collected and digitized offline,” as well as “such processing outside India when it comes to offering goods or services or profiling individuals in India.” Similar to GDPR, the bill is designed to protect individuals within its purview even when their data is processed by companies or other data controllers outside India. It also aims to balance the right of individuals to given privacy with the legitimate needs of data controllers to process data.
Rights and Regulations under the Indian Personal Data Protection Act
The PDBP defines the term “personal data” as follows: “any data about an individual who is identifiable by or in connection with such data.” Because the bill applies only to digitized personal data, there are areas that it does not cover, including anonymized data, non-digitized data and non-personal data.
The PDPB establishes the rights of persons under its protection, the regulations with which data controllers must comply, the remedies for non-compliance and the resolution of complaints.
Similarities and differences between the PDPB and the GDPR
Since the GDPR is quite well-known and well established, it is necessary to compare the policy provisions of the new PDBP with the GDPR. Some important points are the following:
-
Rights of children
Both the GDPR and the PDPB have specific provisions around children’s data protection rights, however, there are some significant differences. For example, the GDPR sets the age of majority at 16 and the PDPB at 18.
-
Classification of personal data
Personal data is much further classified by the GDPR into subgroups such as race, ethnicity, politics, religion and disability; certain categories are subject to different or stricter compliance rules than personal data in general. The PDBP, on the other hand, focuses on the broad category of personal data, as no subset of data is more sensitive or better protected than another.
-
Data Management
Under the GDPR, the person responsible for managing and controlling data is called the data controller; the GDPR offers no further categories or unique requirements for particular subsets. In contrast, the PDPB also provides for the category of “Significant Data Fiduciares’ (SDFs), you receive an SDF notification when you deal with personal data that, because of its sensitivity and volume, may cause harm to the data subject. The PDPB requires those in charge under this category to meet more stringent requirements. Engaging a data protection officer (DPO) to oversee complaint redress, engaging an independent data auditor and conducting data protection impact assessments (DPIAs) are examples.
Conclusion
Efforts have been underway for many years to adequate legislation around data protectionrming in India. The current version of the bill reflects the amount of effort and discussion that has gone into it, and its passage would result in India finally a adequate law on data privacy would have to protect the country’s more than 760 million active Internet users. Understanding the provisions and procedures of the PDPB is critical for any organization processing personal data of individuals in India, including many multinational companies.