India publishes draft of a data protection bill

After the Hon’ble Supreme Court declared in its landmark decision that privacy is a “guaranteed fundamental right”, the Sikrishna Committee drafted a Personal Data Protection Bill, 2018.

In contrast to the terms “data subjects” and “controllers” chosen in the GDPR, the Indian draft designates the individuals whose personal data is processed “data principals” and the organisations responsible for the processing “data fiduciaries”.

With the new data protection bill, data principals have a variety of rights such as rights to access, rectification or the right to be forgotten. In order to ensure data compliance, the concept of an annual data audit, which will be carried out by organisations through independent data auditors, was also introduced. In addition to data fiduciaries who are based in India, the regulations also apply to those who systematically offer goods and services to data principals in India, or those whose work involves profiling of Indian data principals.

The new data protection bill also introduces the figure of the Data Protection Officer (DPO) for India. Organisations must appoint a DPO if they are “significant data fiduciaries”, i.e. if they are involved in high-risk processing activities, or if they are not present in India but covered by the bill. Those organisations shall appoint a DPO who is based in India. In contrast to the GDPR there is however no requirement of the independence of the DPO.

For cross-border data transfers, it is required that at least one copy of personal data is stored on servers or data centres located in India. Data classified as “critical personal data” may only be processed in a server or data centre located in India.

According to the Sikrishna Committee, the draft could be seen as a template for developing countries all over the world.