High Court Ruling, EU Privacy Regime Influence Indian Law Update

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Madhur Singh

The Supreme Court of India’s ruling that privacy is a fundamental right has lent urgency to the government’s effort to update the nation’s data privacy framework with stricter rules for using and keeping personal data and notifying people of a breach, privacy attorneys told Bloomberg BNA.

Draft privacy legislation in the works, which may be ready for release as early as December, is also being influenced by provisions in the European Union’s new privacy regime, the General Data Protection Regulation, which is set to take effect in May 2018. The draft will likely focus on consent to use personal information, data retention and erasure, breach notice and damages, and bigger penalties, attorneys said.

Although its final form hasn’t been set, companies doing business in India can be certain they will face a host of new compliance obligations once a new law is in place.

The draft is subject to approval by Parliament and the president. The update was driven by a desire to consolidate data privacy provisions scattered across several statutes, including the Information Technology Act of 2011, into a single privacy framework law. But the court ruling and the looming GDPR effective date have made it more of an imperative.

Amit Jaju, a fraud investigation and dispute services partner at EY India, told Bloomberg BNA that although India’s minister for information technology has said the new law would be in place by the end of 2017, India is setting a real privacy foundation for the first time, and that means the law’s implementation will be difficult. Even if the new law is enacted promptly, preparing companies and regulators to implement the law will take a long time, Jaju said.

Supreme Court Privacy Ruling

India’s top court ruled Aug. 24 that privacy is a fundamental right, and that “informational privacy is a facet of the right to privacy.“ That general constitutional ruling is now being applied in the context of a challenge to WhatsApp’s sharing of data with its new parent Facebook Inc., although some privacy attorneys have predicted that the court will wait to rule until after the new privacy statute is in place.

The ruling’s primary impact is in accelerating the government’s effort to adopt a new privacy law, Probir Roy Chowdhury, a partner in the corporate and commercial practice at J. Sagar Associates in Bangalore, India, told Bloomberg BNA, speaking in his individual capacity. But the draft may also reflect the court’s recognition of a right to be forgotten principle, under which individuals can seek the removal of personal data if their privacy rights outweigh any public right to see the information, he said.

If the right to be forgotten is included, “search engines, social media platforms, and media companies operating in India will be most affected,” Roy Chowdhury said. They may need to examine “their internal processes for receiving and processing requests for the deletion of data from the general public,” he said.

Supratim Chakraborty, an associate partner in the corporate practice at Khaitan & Co. in Kolkata, said that the draft law will strengthen rules on transfer of data to third parties, and may bolster cross-border data security and enforcement mechanisms. The law may also require companies to get informed consent from individuals to use their personal information, and be transparent about how the data may be shared with others, he said.

New EU Privacy Regime

The other major influence on India’s forthcoming privacy update is the GDPR. The EU law’s data transfer, consent, and other provisions will make it more difficult to transfer personal data from the EU to India.

A wide variety of Indian businesses will feel that impact, including outsourcing companies in India that process data, banks with branches in India, Indian companies operating in the EU, and the travel and medical tourism sectors, privacy professionals said.

The present scattered privacy provisions in Indian laws differ from the GDPR regime in some significant ways, including that Indian laws:

  •  primarily regulate the processing of sensitive data, instead of both sensitive and more general personal data covered by the GDPR;
  •  apply primarily within India, whereas the GDPR framework extends to companies handling EU data anywhere in the world; and
  •  recognize implied consent from individuals rather than the GDPR-required free, specific, informed and unambiguous consent by clear, affirmative action.
Roy Chowdhury said Indian lawmakers are likely to expand the scope of Indian privacy law to regulate a much broader class of data, provide clarity on the territorial scope and applicability of Indian law, particularly for data processing outside India, and better define privacy rules for cross-border data transfers.

Although the GDPR continues to distinguish between data controllers and data processors, as does current EU law, it also, for the first time, extends some data privacy obligations to companies that process data. Indian companies should look to the GDPR to help determine whether they will be characterized as a data controller or a data processor to understand their obligations and liabilities, Roy Chowdhury said.

The GDPR mandatory data breach notice provision will likely present Indian companies with challenges. Breaches have been a rising but unaddressed concern in India, but notification and penalty procedures for breaches could be included in the new Indian law, Jaju said.

To contact the reporter on this story: Madhur Singh in Chandigarh, India, at correspondents@bna.com

To contact the editor responsible for this story: Donald Aplin at daplin@bna.com

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law: Privacy & Data Security