On July 27, 2018, the Justice BN Srikrishna committee, formed by the Indian government in August 2017 with the goal of introducing a comprehensive data protection law in India, issued a report, A Free and Fair Digital Economy: Protecting Privacy, Empowering Indians (the “Committee Report”), and a draft data protection bill called the Personal Data Protection Bill, 2018 (the “Bill”). Noting that the Indian Supreme Court has recognized the right to privacy as a fundamental right, the Committee Report summarizes the existing data protection framework in India, and recommends that the government of India adopt a comprehensive data protection law such as that proposed in the Bill.

The Bill would establish requirements for the collection and processing of personal data, including particular limitations on the processing of sensitive personal data and the length of time in which personal data may be retained. The Bill would require organizations to appoint a Data Protection Officer and require annual third-party audits of the organization’s processing of personal data. Further, the Bill would require organizations to implement certain information security safeguards, including (where appropriate) de-identification and encryption, as well as safeguards to prevent misuse, unauthorized access to, modification, disclosure or destruction of personal data. The Bill also would require regulator notification and, in certain circumstances, individual notification in the event of a data breach. Noncompliance with the Bill would result in penalties up to 50 million Rupees (approximately USD $728,000), or two percent of global annual turnover of the preceding financial year, whichever is higher.

The Bill has been submitted for consideration to the Ministry of Electronics and Information Technology and is expected to be introduced in Parliament at a later date.