Saturday 20th October 2018

The latest Indian privacy bill proposes imprisonment or fines up to $1.4 million for data offences

The latest bill follows a previous bill drafted in 2013. Some of its provisions broadly mirror the GDPR, particularly its definition of what constitutes 'personal data.'
Jason Smith
by on 12th June 2018

A new Indian privacy bill, titled “Indian Privacy Code 2018” and drafted by a coalition of Indian lawyers and privacy advocates, proposes punishments including up to five years imprisonment or fines up to $1.4 million for data offences.

While India doesn’t currently have specific legislation governing data privacy, references are made to data protection in the Information Technology Act, 2000 and the (Indian) Contract Act, 1872.

The bill has been published on the website saveourprivacy.in and will be sent to the Government from a ten person committee headed by B.N. Srikrishna, a former Supreme Court Judge.

The new draft aims to codify data protection right for Indians as the GDPR has attempted to for citizens of member states of the European Union.

The proposal is backed by the Internet Freedom Foundation, which has recently expressed its discontent with the pace of privacy reform in India.

It discontent has been echoed by the founder of the Center for Internet & Society, Sunil Abraham, who states, “The reason civil society is doing this is because the government is not sharing their draft bills.”

Like IFF, CIS has also tabled a draft Privacy Protection Bill back in 2013, which has served as a reference by those responsible for drafting the Indian Privacy Code, 2018.

Privacy groups have also expressed consternation over a report in the Tribune from earlier this year that revealed malicious actors could gain access to personal information on any citizen in possession of a unique identity number through a service promoted anonymously on WhatsApp.

With a population of 1.3 billion people, India also represents Facebook’s largest marketplace; over 270 million of its 2.23 billion users are based in the country.

The Indian Privacy Code, 2018 contains a number of provisions similar to those in the EU’s GDPR. For example, it defines personal data as “any data which relates to a natural person if that person can, whether directly or indirectly in conjunction with any other data, be identified from it and includes sensitive personal data.”

One of the more interesting provisions in the bill is provision 12(i), which outlines how data collected prior to the act should be processed.

“All data collected, processed and stored by data controllers and data processors prior to the date on which this Act comes into force shall be destroyed within a period of two years from the date on which this Act comes into force.”

It goes onto state the provision is inapplicable in instances where an organization has obtained fresh consent or anonymized a user’s personal data.

The ethos of the bill is also summarized by seven guiding principles listed on saveourprivacy.in. The principles include:

  • The creation of a “strong” privacy commission to enforce legislation on data privacy;
  • The public should be able to lodge complaints with the new commission;
  • The Government should respect user privacy and “the use of digital technologies…should not be privileged over fundamental rights”; and
  • Individuals should not be forced to sacrifice access to essential services for data privacy and the new commission must have jurisdiction over the Government.

The principles also state “The Indian Privacy Code, 2018 must have extraterritorial effect and apply to web services and platforms which are accessible in India and which gather personal data of Indians.”