The bill largely resembles the first draft of 2018; however, it makes broader exemptions for public authorities, and foresees the creation of a ‘sandbox’ for innovation purposes.
Background: India currently does not have an overarching data protection framework. In recent years, and following in the footsteps of Europe’s GDPR, policymakers have worked towards creating one. In 2017, the Ministry of Electronics & Information Technology (MEITY) set up an Experts Committee which later published a White Paper on a possible Data Protection Law. This resulted in a draft Personal Data Protection Bill in 2018, with clear references to the approach enshrined in the GDPR, including rights such as data portability and the ‘right to be forgotten’. However, the bill in its initial form was never submitted to India’s parliament (Lok Sabha) for discussion.
A new form of the bill reaches parliament: This week, more than a year after the drafting of the initial bill, the Government has submitted a Personal Data Protection Bill to the Lok Sabha. The bill retains key aspects of the 2018 one, and its resemblance to GDPR in many respects. It defines a ‘data fiduciary’ a ‘data processor’, and a ‘data principal’, respectively equivalent to the GDPR’s data controller, data processor, and data subject. For data principals, it sets out rights to confirmation and access; to correction and erasure; to data portability; and to be forgotten, thereby adopting many of the rights granted by the GDPR to data subjects. The law also requires data fiduciaries to prepare and maintain a ‘privacy by design’ policy.
Broader exemptions are introduced: Compared to the 2018 bill, the new text broadens the scope of exemptions to the safeguards, mainly on grounds of national security. While the 2018 draft referred to explicit authorisation pursuant to a law, the new one empowers the Government to order that the provisions in the bill may not apply to certain public authorities. This aspect of the new bill is already attracting criticism from privacy advocates, since it could give the Government strong surveillance powers.
A ‘data sandbox’ is created: The bill also foresees the creation of a ‘sandbox’ to encourage innovation in AI, machine-learning or “any other emerging technology in public interest”. The Data Protection Authority of India would oversee such sandbox, and grant access to it to the companies which meet certain conditions and apply for its use.