On September 26, 2018, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth LLP submitted formal comments to the Indian Ministry of Electronics and Information Technology on the draft Indian Data Protection Bill 2018 (“Draft Bill”).
CIPL’s comments on the Draft Bill focus on several key issues that are of particular importance for any modern-day data protection law, including increased emphasis on accountability and the risk-based approach to data processing, interoperability with other data protection laws globally, the significance of having a variety of legal bases for processing and not overly relying on consent, the need for extensive and flexible data transfer mechanisms, and the importance of maximizing the effectiveness of the data protection authority.
Specifically, the comments address the following key issues:
- the Draft Bill’s extraterritorial scope;
- the standard for anonymization;
- notice requirements;
- accountability and the risk-based approach;
- legal bases for processing, including importance of the reasonable purposes ground;
- sensitive personal data;
- children’s data;
- individual rights;
- data breach notification;
- Data Protection Impact Assessments;
- record-keeping requirements and data audits;
- Data Protection Officers;
- the adverse effects of a data localization requirement;
- cross-border transfers;
- codes of practice; and
- the timeline for adoption.
These comments were formed as part of CIPL’s ongoing engagement in India. In January 2018, CIPL responded to the Indian Ministry of Electronics and Information Technology’s public consultation on the White Paper of the Committee of Experts on a Data Protection Framework for India.