Location Risk Monitoring

Are Your Third Parties Prepared for India’s Personal Data Protection Act?

Written by Sudeep Chakraborty

With increasing digitization at a global level, protection against misuse of personal data has become indispensable. Globally, there are various models for data protection such as comprehensive data protection framework in European Union which is equally applicable for the public and private sector, or in the United States, where the approach towards data protection varies for the public and private sector. Though there are contrasting approaches to data protection, the underlying principle is same – the right to privacy. From an enterprise point of view, forthcoming new regulations around data is a good time to assess possible third-party risk scenarios and prepare for them.

India considers the right to privacy as a fundamental right for its citizens. Being the world’s second-most populous country and sixth largest economy by nominal GDP, action on legislating data protection is vital for India. On July 27, 2018, the draft of the legislation on data protection titled Personal Data Protection Bill, 2018 was submitted to the Government.

What is the Personal Data Protection Bill, 2018?

India does not have any specific legislation for data protection yet. Legislations such as SPD Rules (Sensitive Personal Data and information, 2011), the Information Technology (Amendment) Act (2008), the Copyright Act (1957), and the Indian Penal Code (1860), filled the void, though minimally. The Personal Data Protection Bill, 2018 addresses the need to create a strong data protection law in India. If the bill is passed as a legislation, it will regulate the collection, usage, transfer and disclosure of citizens’ data.

Applicability of the Proposed Personal Data Protection Bill

The proposed bill applies to both government and private entities in all sectors and categories of industries which are involved in:

▪ processing of personal data where such data has been collected, disclosed, shared or otherwise processed within the territory of India

▪ processing of personal data by the State, any Indian company, any Indian citizen or any person or body of persons incorporated or created under Indian law

▪ processing of personal data by data fiduciaries or data processors not present within the territory of India, only if such processing is:

▪ in connection with any business carried on in India, or any systematic activity of offering goods or services to data principals within the territory of India; or

▪ in connection with any activity which involves profiling of data principals within the territory of India.

Key Aspects of the Proposed Personal Data Protection Bill

As per the proposed bill, any person, including the State, a company, any juristic entity or any individual who alone or in conjunction with others determines the purpose and means of processing of personal data is termed as “Data Fiduciary”. The bill mandates them to notify the nature and purpose of processing personal data and can proceed further only after consent from the concerned person. The bill also empowers the concerned person with right to access, correct, port, and the right to be forgotten for their data.

For enterprises and their third parties, a crucial clause is the mandate to store at least one serving copy of personal data on a server or data center located in India. Furthermore, certain critical personal data, as notified by the Government, must be processed only in a server or data center located in India. In case of non-compliance, the penalty may extend from INR 5 Crore to INR 15 Crore or 2% to 4% of its total worldwide turnover of the preceding financial year, whichever is higher.

The bill also directs the Government to establish a Data Protection Authority (DPA) to monitor, ensure compliance, and enforce application of the proposed bill.

Third Party Risk from the Proposed Personal Data Protection Bill

According to the news reports, the Personal Data Protection Bill, 2018 is likely to be introduced in the Indian Parliament in June 2019 after the general elections. Nevertheless, global tech firms operating in India including Cognizant, Genpact, and IBM are already raising concerns about the proposed bill, saying it could impact their business practices and increase regulatory scrutiny. Their fears are not unjustified.

If the bill is passed as a law, organizations must undergo several structural changes to comply with provisions such as privacy-by-design, storage limitations, data protection impact assessments, stringent security measures and data localization. Additionally, global organizations that process personal data of Indians but store their data elsewhere will likely incur high operational costs involved in setting up local servers. Given the complexity of the infrastructure requirement, it is safe to consider that certain provisions will only take effect after a period of time.

That being said, the Government of India must also adopt a balanced approach so that the final law supports a certain level of mutual cross border transfer of data to support economic and trade interests.

For more insights/updates on third-party risk that could arise because of the proposed Personal Data Protection Bill, 2018, subscribe to Supply Wisdom.

Request a free trial to see how Supply Wisdom’s real-time risk intelligence enables you to stay up-to-date on latest policy changes and proactively manage risks across your global locations and suppliers.