India’s data protection challenge

India’s Personal Data Protection Bill cannot come soon enough as a wave of cyberattacks hits the nation.


India’s new Personal Data Protection Bill is working its way through the nation’s Parliament and could be enacted by next year. Modelled on Europe’s GDPR, the Bill promises to give India’s consumers power over their data and ensure that organisations handle electronic information responsibly.

For many observers, implementation of PDP cannot come soon enough. India’s existing data rules are seen as dysfunctional after a string of cyberattacks hit some of the nation’s biggest technology brands. Breaches have been alleged at digital wallet and payment system MobiKwik according to a post on Website Planet, while B2B platform Bizongo also reportedly suffered a data breach.

Under current laws, businesses are not obliged to report data breaches. Consumers are often none the wiser if their information has been stolen. The PDP would force companies to take responsibility for the security of data and inform consumers if their information had been compromised. The bill proposes fines of between 2% and 4% of global turnover or Rs 15 Crore (£1.5m) for offending companies that fail to obey the PDP.

India’s version of GDPR but with differences

“The existing privacy legislation in India is archaic so it definitely needs modernisation,” says Gartner VP and privacy specialist Nader Henein. But he adds that enforcing cybersecurity is not the only reason for welcoming the PDP. “One reason you modernise your practices is that you want to play in the modern eco-system of data,” he says.

Countries across the world are seeking “adequacy” status from the EU, which allows them to seamlessly handle the data of European citizens in line with GDPR. Japan, Canada, South Korea, New Zealand and Argentina are among the nations that have achieved adequacy status while others such as Vietnam and India are passing GDPR-style legislation.

India will seek GDPR adequacy once the data protection law is passed. This is vital to its economic future. Some 30% of India’s $200bn a year IT and outsourcing industry revenues derive from the EU. In the three years since GDPR was introduced, Indian businesses have had to work hard to demonstrate they are compliant with the rules. Once data adequacy is achieved, this becomes automatic. India has little choice but to broadly model PDP on European legislation.

“The (PDP) law has a lot of commonalities with GDPR but it also has some fundamental differences,” says Henein.

The Bill defines three types of personal data—standard, sensitive and critical—and places data residency restrictions on the movement of this information. Standard information can be moved in and out of India without concern. Sensitive information including passwords, financial details and religious and medical information must be held inside India and explicit consent is needed to move the data abroad. But “critical” data cannot leave India. The Bill gives the Government the power to define critical data, and this will typically be security and military-related information.

These data residency rules stand in contrast to GDPR, under which data can be exported globally to locations judged to have data adequacy, or that can show that they will abide by the stipulations of GDPR.

India’s IT industry will pay for PDP

So what about data brought into India for processing by the IT outsourcing industry? Henein says: “Some interpretations I’ve seen say that if the information is brought into India and processed in some way as part of the massive outsourcing industry, then it becomes subject to the regulation.”

However, he doubts the law would make it harder for the outsourcing industry to carry out its work, as this could hit one of the nation’s most important industries.

In the latest review of the Bill’s provisions, a Parliamentary sub-committee has recommended some 89 amendments and one new clause which need to be reviewed, and discussed so the exact shape of the Bill is yet to be finalised. The Bill’s progress has slowed as India grapples with its devastating Covid crisis and it is unlikely to be put to the vote imminently. Depending on the progress of the pandemic, the Bill could pass into law in the next session of the Lok Sabha, the Indian Parliament’s lower house. Up to 18 months might pass before it is enacted, so it may come into force by the end of 2022 or 2023. 

A central aim of the law is to offer consumer protection after a Supreme Court ruled in 2017 that citizens have a fundamental right to privacy.

But there are concerns among companies that it will create extra costs as they may be forced to relocate their data centres from abroad back into India to comply with the location rules. An insurance company might have data centres located in Europe, the Americas and Asia-Pacific and have spent considerable time and effort in migrating data to these centres. But with the PDP, the business could be forced to build a new data centre India purely for local data.

Even so, strong new data laws are crucial to India’s plans to speed up mass digitization among its population of one billion. But some are sceptical about whether the Indian state will rigorously enforce the legislation.

Chandramouli, CEO of TRA Research, says much depends on interpretation of laws. “No law is perfect in its verdict so we have to be extraordinarily careful. This is not going to be seen as effective until the time that there is will at the centre to take it on with a sense of seriousness.” That said, he believes the prospect of heavy fines for companies that fail to secure consumers’ data would focus corporate attention on security.

The long road to data privacy is worthwhile

Henein believes that as the “world’s oldest bureaucracy”, India is experienced at establishing new laws. “Once you have a body in place to monitor these regulations, it becomes empowered to make sure that things are handled appropriately,” he says. But he acknowledges that it will take time for the new law to become accepted practice.

“It is not going to be smooth out of the gate and any perception that it will be is unrealistic. It wasn’t the case in Europe with GDPR and they had decades to prepare,” he says. 

PDP is an early step on India’s journey to data privacy. The road will be long but the prizes – consumer protection and acceptance of India’s digital industry into the global data eco-system – are worthwhile.