Privacy & Information Security Law Blog

On December 11, 2019, an updated version of India’s draft data privacy bill was introduced in the Indian Parliament (the “Draft Bill”) by the Ministry of Electronics and Information Technology (“MeitY”). The Draft Bill updates a prior version submitted to MeitY in July 2018.

Following its introduction in Parliament, the Lok Sabha (the lower house of Parliament) referred the Draft Bill to a Joint Select Committee consisting of 20 members of the Lok Sabha and 10 Members of the Rajya Sabha (the upper house of Parliament). The Committee is expected to report back to the Lok Sabha by the first day of the last week of the 2020 Budget Session ahead of the Draft Bill being tabled in Parliament. The Budget Session typically runs from February to May each year.

While much of the Draft Bill remains unchanged from the previous version, several notable changes have been made to specific provisions and several new provisions have been added. These include:

• Identifying Categories of Sensitive Data: It is no longer the Data Protection Authority (“DPA”) alone which specifies further categories of sensitive data, but rather, the central government in consultation with the authority and the sectoral regulator concerned.
• Consent Manager: Individuals may give or withdraw consent to the data fiduciary through a “consent manager.”
• Social Media Intermediaries: The category of “significant data fiduciary” also now includes any social media intermediary with users above a certain threshold notified by the government in consultation with the DPA and whose actions have, or are likely to have, a significant impact on electoral democracy, security of state, public order or the sovereignty and integrity of India.
• Data Localization: The previous data localization requirement (that a copy of personal data be stored in India) has been removed from the Draft Bill. There also appears to be no specific restrictions on data transfers except for sensitive data and critical personal data.
• Transferring Sensitive Personal Data: Sensitive data can be transferred outside of India but must continue to be stored in India.
• Requirement to Share Anonymized Data with Government: The Indian Government may, in consultation with the Indian DPA, direct any data fiduciary or processor to provide it with anonymized or other non-personal data to enable better targeting of delivery of services or formulation of evidenced-based policies by the government.