Tag: Data Protection Law

Steps towards data protection law in India

17. June 2022

At present, there is no comprehensive data protection law in India. The relevant provisions are governed by several laws, regulations and court decisions, including the Information Technology Act 2000 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011.

Following the inclusion of privacy as a fundamental right in Article 21 of the Indian Constitution on August 24th, 2017, a Personal Data Protection Bill (PDPB) was formulated and introduced in the Lower House of the Parliament on December 11th, 2019. The PDPB was intended to constitute the first comprehensive data protection law in India.

The PDPB was pending consideration of the Parliament for a long time. On November 22nd, 2021, the Indian Joint Parliamentary Committee (JPC) responsible for reviewing the PDPB issued its report on the proposed law. Back then, the Indian Parliament was expected to table JPC’s final report and consider the bill on December 21st, 2021, ahead of the end of its legislative session on December 23rd, 2021. Once passed by both houses of the Parliament and approved by the president, the PDPB was then to be enacted as legislation.

However, as it has recently become known, new regulations may soon be introduced to replace the proposed PDPB, which was scrapped in favor of a total overhaul after data localization and data mirroring requirements raised concerns among business stakeholders. In addition, the Indian Government is expected to commence work on a new law to replace the Information Technology Act 2000, which would entail new guidelines for data governance and cybersecurity as part of a ‘Digital India Act’.

This would be a major, and long overdue, step towards a modern data protection law that takes into account both economic interests and individual rights, as well as integrates into the progressive legal development worldwide.

Indonesian President introduces a Proposal for a national Data Protection Law

5. February 2020

On 28 January 2020, Indonesian President Joko Widodo introduced a draft data protection law to the Parliament of Indonesia. When the bill passes through Parliament, Indonesia will be the fifth country in Southeast Asia to have a national data protection law, following Singapore, Malaysia, Thailand and the Philippines.

The proposal has numerous parallels to the European GDPR. It grants an array of data subject rights, like the right to access, the right to erasure and the right to restrict processing of personal data. The bill also contains a broad definition of processing and the general principle of consent, whilst allowing the processing of personal data for the performance of a contract, for compliance with a legal obligation, or for the purposes of legitimate interests.

Interestingly, the bill categorises violations against the data protection rules as criminal offenses and punishes intentional unlawful processing with up to 7 years of criminal imprisonment or punitive fines of up to 70 billion Indonesian Rupiah (4.6 million Euros). If the offender of the law is a corporation, the management or beneficiary owner can be held liable and face a prison sentence.

The Indonesian Minister of Communications and Information stresses the importance of the new date protection bill for the data sovereignty of individuals and hopes for opportunities for innovation and business in Indonesia.