THE DATA PRIVACY BILL IN INDIA AND ITS IMPLICATIONS ON INDIAN COMPANIES

Introduction

With the proposed Data Privacy Bill, India’s data privacy landscape will likely undergo a sea change. One of the most crucial mandates of the proposed bill is that Indian companies maintain their data on domestic servers, i.e., servers located within India. This mandate has sparked various concerns, questions, and arguments among businesses and individuals. Opinions are being expressed in debates nationwide about how it will affect Indian businesses.

What is the Data Privacy Bill in India?

The proposed Data Privacy Bill aims to establish a legal framework for data protection in India. It seeks to establish comprehensive regulations and standards for data protection, storage, processing, and sharing. It has drawn inspiration from international data protection standards like the European Union’s General Data Protection Regulation ( GDPR) while considering India’s specific requirements and concerns.

The bill is aimed at protecting individuals’ personal data and defining the obligations and responsibilities of businesses regarding obtaining and storing such data. Its primary objective is to safeguard the privacy rights of Indian citizens and ensure that their personal information is handled responsibly.

Importance of Data Privacy Bill for Indian Companies

The Data Privacy Bill is essential for Indian Companies and its importance cannot be overstated, as it will play a crucial role in safeguarding personal data, and establishing trust among customers, stakeholders, and international partners. Furthermore, the Data Privacy Bill will also build trust by empowering data subjects with more control over their personal data; comply with global standards enabling smoother business operations and data transfers across borders. It will also encourage companies to adopt best practices, invest in cyber security, foster digital innovations and create a more robust and competitive business environment. Moreover, it will also help attract Foreign Investments, as companies and investors often prefer to invest in countries with strong data protection laws to establish their business operations. The Data Privacy Bill will also encourage cross-border data flows by reassuring foreign countries that Indian Companies handle data responsibly, and in compliance with international standards.

Key Features of Data Privacy Bill

The Data Privacy Bill also called the Personal Data Protection Bill (PDPB), is aimed at regulating the processing and usage of personal data. It spells out its key features that include applicability; data principal rights; consent and purpose limitations; categorization into sensitive personal data; data localization; cross-border transfers; data breach notifications. Some of the major features include the following:

New Concepts Introduced:

Concepts like data fiduciaries, data principals, and sensitive personal data are introduced under the bill.

Define Obligations:

The bill outlines the obligations of data fiduciaries regarding authorization, restriction of use, data minimization, and security safeguard measures.

Data Protection Authority:

The bill seeks to establish a Data Protection Authority to monitor compliance and impose penalties for violations.

What Impact Will Data Privacy Bill Have On Indian Companies? 

Review and Update Existing Data Policies: To comply with the new legislation, Indian companies must review and update their existing data protection policies and procedures.

Obtain Explicit Consent: To collect and process the personal data of individuals, companies will have to seek express consent from individuals.

Companies Will Be Subject To Additional Responsibilities: Companies managing sensitive personal data will be subject to additional responsibilities and obligations.

Violation Will Lead To Penalties: A violation of the bill could lead to substantial penalties, other legal actions, and harm to reputation.

FAQ

Q: Why does the Data Privacy Bill propose that Indian companies’ data should be stored on domestic servers within India?
A: The primary rationale and objective behind this proposal is to ensure better control and protection of the data of Indian citizens. By mandating local storage, the bill aims to prevent unauthorized access to the data, limit the risks of data breaches, and enhance the capacity of Indian authorities to enforce data protection laws.

Q: How will this provision impact Indian Companies?
A: This provision will necessitate considerable modifications in Indian Organizations’ data storage practices and procedures. They must invest to build infrastructure, develop or move data centers domestically, and change their IT strategies, plans, and budget spending accordingly.

Q: Are there any exceptions to this provision?
A: Under specific conditions and restrictions, the bill permits some categories of data to be processed and stored outside India. These exceptions include information or data not classified as sensitive or critical personal information. However, the final criteria for exceptions have yet to be spelled out, and the bill’s final draft may contain more specific information and requirements about the exceptions.

Q: What are the potential benefits of the proposed Data Privacy Bill?
A: According to supporters of the data privacy bill, data storage within India will strengthen data sovereignty by guaranteeing that personal data about Indian residents is subject to Indian laws and jurisdiction. Moreover, it can also promote the growth of local data centers, generate new job possibilities, and encourage technological advancement across the nation.

Q: Are there any concerns or criticism about the bill?
A: Yes, critics have raised several issues. Some are concerned that the bill will increase corporate expenses, obstruct cross-border data transfers, and reduce the availability of global cloud services. Others are worried about excessive government monitoring as data centralization would facilitate easier access to data and may lead to a rise in unwarranted surveillance.

Q: What are the penalties for non-compliance with Data Privacy Bill?
A: The exact sanctions for non-compliance have yet to be decided because the bill is still being debated. But transgressions may likely lead to penalties or other legal actions. The type and intensity of non-compliance will determine the severity of the punishment.

Q: When is the Data Privacy Bill expected to become law?
A: The original cut-off date was September 2021. It is well past that date, yet it is still being determined when it will be implemented and whether it will go through any subsequent amendments.

Conclusion

With the provision for local data storage by Indian Companies, the proposed Data Privacy Bill in India has generated considerable discussion and speculation. While the bill intends to strengthen data protection and control, it’s important to consider business, privacy, and security concerns. Continuous or ongoing discussions and debates will occur as the bill progresses through the legislative processes. For both Indian businesses and individuals, it will be crucial to keep updated and track trends about the progress of the Data Privacy Bill.
Confiex Data Room, on its part, as always, will completely adhere to all the compliance requirements of the Data Privacy Bill once it is implemented in India.