Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...
By Madhur Singh
The Supreme Court of India’s ruling that privacy is a fundamental right has lent urgency to the government’s effort to update the nation’s data privacy framework with stricter rules for using and keeping personal data and notifying people of a breach, privacy attorneys told Bloomberg BNA.
Draft privacy legislation in the works, which may be ready for release as early as December, is also being influenced by provisions in the European Union’s new privacy regime, the General Data Protection Regulation, which is set to take effect in May 2018. The draft will likely focus on consent to use personal information, data retention and erasure, breach notice and damages, and bigger penalties, attorneys said.
Although its final form hasn’t been set, companies doing business in India can be certain they will face a host of new compliance obligations once a new law is in place.
The draft is subject to approval by Parliament and the president. The update was driven by a desire to consolidate data privacy provisions scattered across several statutes, including the Information Technology Act of 2011, into a single privacy framework law. But the court ruling and the looming GDPR effective date have made it more of an imperative.
Amit Jaju, a fraud investigation and dispute services partner at EY India, told Bloomberg BNA that although India’s minister for information technology has said the new law would be in place by the end of 2017, India is setting a real privacy foundation for the first time, and that means the law’s implementation will be difficult. Even if the new law is enacted promptly, preparing companies and regulators to implement the law will take a long time, Jaju said.
India’s top court ruled Aug. 24 that privacy is a fundamental right, and that “informational privacy is a facet of the right to privacy.“ That general constitutional ruling is now being applied in the context of a challenge to WhatsApp’s sharing of data with its new parent Facebook Inc., although some privacy attorneys have predicted that the court will wait to rule until after the new privacy statute is in place.
The ruling’s primary impact is in accelerating the government’s effort to adopt a new privacy law, Probir Roy Chowdhury, a partner in the corporate and commercial practice at J. Sagar Associates in Bangalore, India, told Bloomberg BNA, speaking in his individual capacity. But the draft may also reflect the court’s recognition of a right to be forgotten principle, under which individuals can seek the removal of personal data if their privacy rights outweigh any public right to see the information, he said.
If the right to be forgotten is included, “search engines, social media platforms, and media companies operating in India will be most affected,” Roy Chowdhury said. They may need to examine “their internal processes for receiving and processing requests for the deletion of data from the general public,” he said.
Supratim Chakraborty, an associate partner in the corporate practice at Khaitan & Co. in Kolkata, said that the draft law will strengthen rules on transfer of data to third parties, and may bolster cross-border data security and enforcement mechanisms. The law may also require companies to get informed consent from individuals to use their personal information, and be transparent about how the data may be shared with others, he said.
The other major influence on India’s forthcoming privacy update is the GDPR. The EU law’s data transfer, consent, and other provisions will make it more difficult to transfer personal data from the EU to India.
A wide variety of Indian businesses will feel that impact, including outsourcing companies in India that process data, banks with branches in India, Indian companies operating in the EU, and the travel and medical tourism sectors, privacy professionals said.
The present scattered privacy provisions in Indian laws differ from the GDPR regime in some significant ways, including that Indian laws:
Although the GDPR continues to distinguish between data controllers and data processors, as does current EU law, it also, for the first time, extends some data privacy obligations to companies that process data. Indian companies should look to the GDPR to help determine whether they will be characterized as a data controller or a data processor to understand their obligations and liabilities, Roy Chowdhury said.
The GDPR mandatory data breach notice provision will likely present Indian companies with challenges. Breaches have been a rising but unaddressed concern in India, but notification and penalty procedures for breaches could be included in the new Indian law, Jaju said.
To contact the reporter on this story: Madhur Singh in Chandigarh, India, at firstname.lastname@example.org
To contact the editor responsible for this story: Donald Aplin at email@example.com
Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to firstname.lastname@example.org.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to email@example.com.
Put me on standing order
Notify me when new releases are available (no standing order will be created)