Several countries have successfully implemented major data privacy and protection regulations over the past decade. The EU’s General Data Protection Regulation (GDPR) drastically changed how companies managed data, not just for their customers in the EU, but worldwide. Then came the California Consumer Privacy Act (CCPA), which had a similar cascading effect when companies decided that if they had to alter their practices for customers in California, they might as well update them for everyone.
For the past few years, India has been working towards a law called the Personal Data Protection Bill that would have similarly large effects across the industry. On Dec. 16 of last year, the Indian Joint Parliamentary Committee (JPC) submitted a report on a draft of the bill, and according to the National Law Review, it’s likely that the bill could be passed and go into effect in the first half of 2022.
According to Elizabeth Schweyen, senior manager of global privacy and compliance at data protection company Druva, the bill was initially drafted in 2017 to protect personal data of Indian citizens. Over the past few years it has undergone changes and now covers both personal and non-personal data.
There is a data localization component to the bill that would require certain data to be processed locally within the country. “Sensitive data, including biometric information, government identifiers and financial information, can be transferred outside of India but organizations are required to keep a copy of this data locally,” Schweyen added.
In addition, organizations that have experienced a data breach would be required under this law to disclose it to the authorities within 72 hours of discovery if it affects the data of Indian citizens . Then, the Data Protection Authority would decide whether those people need to be notified, Schweyen explained.
The National Law Review also reported that the JPC has recommended a phased approach to implementing the law. First, a number of government offices will be appointed, and then the law would be fully implemented within two years.
If the bill were to pass, organizations would need to educate themselves on the new law and the differences with other recent privacy laws.
“They need to enhance their existing compliance strategy to incorporate mechanisms that will allow them to fulfill Indian data requests, collaborate with the Indian data protection agencies, and support their customers and consumers’ needs in the region,” said Schweyen. “Employee training should be expanded to include the new law and ensure employees understand their responsibility when handling personal data. Once fully enacted, India will become another country in a growing list of countries with strong data privacy laws.”
Non-compliance with the law has financial penalties, similar to other major data protection laws, but also the possibility of imprisonment, Schweyen explained. “For example, an individual who re-identifies personal data that had previously been de-identified by a data fiduciary or a data processor without consent may be punished with both imprisonment of a term that may extend to three years and a fine of up to 200,000 rupees,” she said.
She also noted that this law would make social media platforms potentially liable for content that is posted from unverified accounts to their platform. According to Schweyen, this would make it one of the first countries to have a law that does this.
“The bill will usher in a new era of data privacy in India in which maintaining compliance will be key. Companies should implement a privacy-first strategy now to prepare or else they will face large fines, or even prison time in their future,” Schweyen said.