India Creates Personal Data Protection Bill

Laura BednarCybersecurity

India Personal Data Protection Bill

There is mounting demand all over the world for governments to enact legislation that will more strictly regulate the collection, storage, and dissemination of personal data. The European Union has already enacted a regulation called General Data Protection Regulation (GDPR) that ensures individuals greater privacy, security, and control of personal data online. Many such bills have been passed by American states, and demand is growing in America for national legislation. In keeping with this movement, India has passed a Personal Data Protection (PDP) Bill.

Breaking Down the Bill

India’s PDP classifies data into one of three categories: general, sensitive, and critical. Sensitive data is considered personal information that people have reason to keep secure, such as financial status, religion and caste, medical and biological data, and the like. Critical data consists of classified government and military records. General data is everything else.

The bill allows general data to be processed and stored anywhere in the world, provided the individuals from whom it is extracted explicitly consent. Sensitive data can likewise be processed outside of India, but must be stored in India. This has been criticized by many who fear the regulatory burden on corporations will stifle India’s needed economic growth.

The PDP also gives the government wide leeway to access and use sensitive individual data if it is deemed necessary for national security. It does not establish any guidelines to clarify which data or in which circumstances individual’s data might fall under this standard. The law also establishes a series of individual rights with regard to data, including the rights to confirmation, to correction, to portability, and to be forgotten.

How It Compares

India’s bill is similar in many ways to the EU’s GDPR. Like the EU regulation, it establishes certain individual rights to the access and use of personal data, and makes third party access to this data contingent on the consent of the individual or compelling public interest. Both make exceptions of national security, and in fact the GDPR maintains a laundry list of exceptions (such as the deceased being covered by the data laws of their nation of residence). Both bills also require corporations to appoint data protection officers to enforce the regulation within their organizations.

The key difference, in fact, appears to be the GDPR’s predictably greater level of detail, sometimes tending toward bureaucratic prolixity. Whereas the Indian legislation is very broadly worded and at times ill-defined, the EU regulation is granular nearly to the point of aggravation. These differences are a reflection of the vastly different circumstances of the two authorities.

India is a developing nation in dire need of foreign direct investment, and the existing legislation, as noted, has people worried that it will scare away capital. Every policy its government adopts must directly respond to these serious conditions. The EU, on the other hand, is not strictly a government at all, but an international organization to whom member states have surrendered some, but not all, of their sovereignty, and whose precise authority remains somewhat nebulous. The differences in spirit and letter between these otherwise cognate laws is, thus, hardly surprising.

Security is a Top Priority

Secure Data puts data security at the forefront of our operations whether it be protecting your data during the recovery process, or shipping it back to you on secure storage media. In the case that your data becomes compromised either because of a data breach or lack of proper legislation, our digital forensics team can end a cyberattack, find what information was exposed, and find the source of the attack. Learn more about our data protection protocols by calling 1-800-388-1266.