The legislation will mark the beginning of a new privacy regime in India.
The Union Cabinet has cleared the Personal Data Protection Bill 2018. The bill, India’s own privacy protection bill, on the lines of UK Data Protection Bill and European GDPR, will be introduced in the ongoing (winter) session of Parliament.
This marks the beginning of the final phase in the journey towards enacting of an Indian privacy legislation that began in July 2017, with the constitution of an experts committee under the Chairmanship of Justice B N Srikrishna, former judge of Supreme Court of India, to identify key data protection issues in India and to ‘make specific suggestions for consideration of the Central Government on principles to be considered for data protection in India and suggest a draft data protection bill.’
But what really accelerated the creation of a legislation is a historic judgment by a nine-judge bench of the Supreme Court, on 24 August 2017, that right to privacy is a fundamental right.
“The right to privacy is protected as an intrinsic part of the right to life and personal liberty under Article 21 and as a part of the freedoms guaranteed by Part III of the Constitution,” the bench ruled in its order while over-ruling two earlier decisions by the apex court. The government had argued against privacy being a fundamental right.
CIO&Leader and CSO Forum have always highlighted the need for such a legislation and have focused on the issue. In October 2017, in a story, titled Are You Ready For A Data Protection Regime?, CIO&Leader listed the possible issues that could be considered while drafting a data protection legislation in India.
The expert committee published a whitepaper on data protection issues in December that year, inviting public comments on the issues. Based on the consultation, the committee submitted its report and a draft data protection bill in August 2018—exactly a year after the SC judgment—and invited comments on it within two months.
Considering that the CISOs are an important stakeholder in complying with the data protection laws, CSO Forum organized a roundtable of top CISOs immediately after the draft bill was released to capture their suggestion and submitted it to the committee. It created a special magazine issue on the subject, which can be read here.
The Indian draft data protection bill caught global attention because of a few reasons. One, it insisted on all organizations dealing with personal data of Indians to have one copy of that data within the shores of India, which was considered unusual and was criticized by many. Two, unlike the GDPR and UK Data Protection Act, the Indian draft bill was comparatively softer on government agencies when it comes to the rights of data owners, as compared to private organizations.
Earlier this year, some media reports claimed that the government was diluting some of the data residency conditions (keeping data in India) with only critical data being required to be in India but the ministry of electronics and IT, in a statement, dismissed the claims and called these media reports speculative.
The final bill draft is not yet known.