India's billion and a half population needs new data privacy laws
How will privacy regulation dominate tech in India for the next decade?
One thing that is certain in 2022 is the desperate need for India to adopt a new data privacy law to bring it into line with evolving global standards. When this happens, it will have very substantial consequences for the tech economy in India, famed for some household names in IT services.
India's current law on personal data is found in various subordinate legislative rules, appended to the main information technology law: the Information Technology Rules 2011. It comprises all of three pages and speaks as much of data security standards as it does about data privacy and protection.
Some of this is explained by the current law’s vintage – it was passed in 2011, before India experienced a mobile connectivity boom that has seen an increase of over 600 million internet users since 2010. Given that this figure may double over the next decade, the need for a robust new data protection law is not controversial.
What should the law look like?
What is not widely accepted is what this law should look like. Since 2017, when the Indian Supreme Court held that information privacy is a fundamental right, there has been significant discourse on what this law should cover. A draft bill, released in 2018 and updated in 2019, was similar to the EU General Data Protection Regulation (GDPR) in many respects, but a large part of it was also dedicated to government surveillance and overarching rights. Importantly for the tech industry, there are a number of issues that will determine whether this law is perceived as good or bad for business:
- How "GDPR-like" will the final Act be? The 2019 draft bill imported multiple concepts from EU law, including "privacy by design", independent data regulators and the full set of data subject rights. Worryingly for private industry, the high fines and penalties for non-compliance were also mirrored.
- Will data localisation be mandated? At the time of writing, only a few types of data are required to be localised in India, including, tellingly, payment data. If any major sets of "critical" data are mandated to be stored only in India, the way a number of Indian and overseas players do business will change.
- Will this Act regulate non-personal data, as well as personal data? If so, this has implications for India’s nascent Internet of Things and artificial intelligence industries. Tech innovators may find raw data hard to come by for their connected applications and machine learning needs.
- Will data sharing with the government be mandated? The draft bill allows the government to require the sharing of anonymised personal data or non-personal data to improve the targeted delivery of government services. This may prove an issue if the locus of such data cannot be determined.
- What will the government’s surveillance powers be? This question is all the more important in light of the Schrems II ruling of the Court of Justice of the EU, which has renewed the focus on data access rights. While not very common in India, increased data access requests to, for example, outsourced IT service providers may worry clients who send their data to India for processing.
Presidential Assent?
The new law is expected to receive Presidential Assent in early 2022. A committee of lawmakers has already presented its final report on this topic to the Indian Parliament. The new Act will likely include a grace period of up to 24 months for data controllers to ensure compliance.
No matter what form the new law finally takes, it will be one of India's most important pieces of legislation of this decade. Just as the GDPR has done, it will impact everyone and every part of civil and commercial life in India, including over a billion internet users and the many multinational companies who process personal data in India.
Connect with one of our experts
Vikram Singh Partner, BTG Legal, India vikram@btg-legal.com +91 11 4251 9610