The Indian federal government on Friday published a new draft of data privacy laws that would allow personal data transfer to other nations under certain conditions, and impose fines for breaches of data-transfer and data-collection regulations.
The proposed legislation has been in the works for about four years. Up until now, the Reserve Bank of India has enacted regulations that make businesses keep transaction data within the country. The government, though, has not issued more general data protection regulations such as the EU’s GDPR (General Data Protection Regulation), so companies have been exporting personal data in the absence of clear privacy rules.
“Cross-border interactions are a defining characteristic of today’s interconnected world,” according to an explanatory note from the government accompanying the bill. “Recognising this, it has been provided in the bill that personal data may be transferred to certain notified countries and territories.”
The bill itself explains that the federal government will notify the governments of other countries to which data may be exported, noting that there will be specific conditions that must be met in order for data to be transferred.
“The Central Government may, after an assessment of such factors as it may consider necessary, notify such countries or territories outside India to which a Data Fiduciary may transfer personal data, in accordance with such terms and conditions as may be specified,” according to the draft.
A data fiduciary, according to the draft, could be any person or a group of persons who determines the purpose and means of processing personal data.
Conditions for data transfer outside India
The draft Digital Personal Data Protection Bill, for which the ministry of electronics and information technology has invited feedback from the public via a portal till December 17, also lays out the exemptions and conditions that must be considered when considering the transfer of personal data to other nations.
Some of these conditions include the need to process personal data to enforce legal rights or claims, or when processing data is in the interest of preventing, detecting or investigating any offence.
The draft also specifies certain conditions wherein the government can exempt itself from any of the provisions or statutes under the bill. The note published by the Indian government explained that national and public interest can be greater than the interest of an individual at certain times.
Regulations specify conditions for data collection
Further, the draft specifies that the data collected by any organization or institution should be only used for the purpose it is collected for, and the purpose for which consent to the data collection has been given.
Additionally, the explanatory note from the ministry suggests that personal data cannot be stored perpetually by default and should be limited to a duration suited for the purpose it was collected for.
In terms of security or safeguarding personal data, the draft specifies that “reasonable safeguards are taken to ensure that there is no unauthorised collection or processing of personal data.”
The safeguards, according to the government, are intended to prevent breaches of personal data. The draft suggests the person who is processing personal data will be held accountable in case of a breach.
Stringent penalties for security infractions
The draft bill also proposes stringent penalties on any data processor in case of non-compliance of any of the clauses.
In the event of a personal breach where the processor fails to take reasonable security safeguards, the draft proposes a penalty up to US$30.8 million.
Additionally, in case the processor or entity fails to notify the government board of a breach, a fine of $24.5 million will be imposed, the draft specified.
The maximum penalty imposed in a particular instance of non-compliance would attract a fine up to $61 million, according to the draft.
The draft comes at a time when governments around the world are either in the process of planning or implementing personal data privacy laws.
India’s data privacy laws, when introduced, are expected to cover any business entities operating within the country or intending to process data of Indian citizens, similar to the GDPR regulations and the California Consumer Privacy Act.