India’s Personal Data Protection Bill (PDPB) is set to be a significant piece of legislation for tech companies operating in India. The PDPB seeks to regulate the collection, storage, processing, and transfer of personal data of individuals by various entities, including government and private entities. The bill has been in development for several years, and its passage is expected to have far-reaching implications for the tech industry. This blog will provide an overview of the PDPB and its implications for tech companies.

Overview of the PDPB

The PDPB was introduced in the Indian Parliament in December 2019 and is currently under review by a parliamentary committee. The bill is modeled on the General Data Protection Regulation (GDPR) of the European Union and seeks to provide a comprehensive framework for the protection of personal data in India. The PDPB defines personal data as related to an identified or identifiable natural person. The PDPB seeks to establish a Data Protection Authority (DPA) that will be responsible for implementing and enforcing the provisions of the bill. The DPA will have the power to investigate violations, issue orders, and impose penalties for non-compliance.

Key Provisions of the PDPB

Consent Requirements: The PDPB requires entities to obtain explicit consent from individuals to collect, process, and transfer their personal data. The bill also provides the right to withdraw consent, meaning individuals can ask entities to delete their personal data.

Data Localization: The PDPB requires specific categories of personal data to be stored within India. This provision is like data localization requirements in other countries, such as Russia and China. Data localization aims to ensure that Indian laws and regulations protect personal data.

Sensitive Personal Data: The PDPB identifies specific categories of sensitive personal data, such as financial data, health data, and biometric data, which require higher levels of protection. The bill requires entities to obtain explicit consent for collecting and processing sensitive personal data.

Cross-Border Data Transfer: The PDPB allows the cross-border transfer of personal data in certain circumstances. Entities must obtain the approval of the DPA for such transfers and must ensure that the recipient country has adequate data protection laws.

Implications for Tech Companies

Compliance Costs: The PDPB will require significant investments by tech companies to ensure compliance. Companies will need to undertake data audits, establish data protection policies and procedures, and train their employees to comply with the new regulations.

Increased Scrutiny: The PDPB will increase scrutiny of tech companies’ data collection, processing, and transfer practices. The DPA will have the power to impose penalties for non-compliance, which could include fines and criminal sanctions.

Data Localization: The requirement for data localization could increase costs for global tech companies. Companies will need to establish data centers in India to store personal data, which could increase infrastructure costs.

Cross-Border Data Transfer: The requirement for approval from the DPA for cross-border data transfer could create challenges for tech companies that operate globally. Companies must establish processes to obtain approval from the DPA and ensure that recipient countries have adequate data protection laws.

Conclusion

The PDPB represents a significant step towards comprehensive data protection in India. The bill seeks to protect individuals’ data and establish a robust regulatory framework for data protection. The implications of the PDPB for tech companies will be significant, with increased compliance costs and regulatory scrutiny. However, the PDPB also presents opportunities for companies to establish themselves as data protection and privacy leaders. As the PDPB moves towards passage and implementation, tech companies will need to prepare themselves for the new regulatory environment.