India proposes measures to enhance data privacy of 760 million users

World’s largest connected democracy floats measures backed by fines of up to $61m.

India has become the latest country to propose new data privacy laws covering the transfer of personal data between nations. The draft document is the product of four years of work and seeks to bring the country’s legislative framework into alignment with the EU’s GDPR, California’s Consumer Privacy Act and China’s PIPL.

The move is significant because India is, says a government explanatory note, “the largest connected democracy in the world, and is amongst the highest consumers and producers of data per capita amongst the countries”. The nation is estimated to have around 760 million active internet users.

Seven principles

The proposed new Digital Personal Date Protection Bill is organized around seven principles.

  • Use of personal data by organisations must be done in a manner that is lawful, fair to the individuals concerned and transparent to individuals.
  • Personal data must only be used for the purposes for which it was collected.
  • Only those items of personal data required for attaining a specific purpose must be collected.
  • Reasonable effort must be made to ensure that the personal data of the individual is accurate and kept up to date
  • Personal data must not be not stored perpetually by default. The storage should be limited to such duration as is necessary for the stated purpose for which personal data was collected
  • Reasonable safeguards should be taken to ensure that there is no unauthorised collection or processing of personal data. This is intended to prevent personal data breach.
  • The person who decides the purpose and means of processing of personal data should be accountable for such processing.

The document notes that “Cross-border interactions are a defining characteristic of today’s interconnected world” and so makes provision to ensure that “personal data may be transferred to certain notified countries and territories”. The proposal is for central government to assess “such factors as it may consider necessary” before notifying “such countries or territories outside India to which a Data Fiduciary may transfer personal data”.

National interest

Specified conditions that must be considered when assessing data transfer to other nations include the need to access personal data in order to prevent, detect or investigate an offence. The government would also be allowed to exempt itself from the bills requirements, on the basis that national interest can be more important than the interests of an individual in certain circumstances.

Proposed penalties for non-compliance are capped at $61m. Failure to notify the government of a breach would be subject to a $24.5m fine, while failure to take reasonable precautions could attract a penalty of up to $30.8m.