India Considers Sweeping GDPR-Style Curbs for Online Data

(Bloomberg) -- A draft of a sweeping data privacy bill has been submitted to India’s government that, if enacted, will restrict the transfer and storage of information on more than 1 billion people by global technology corporations from Facebook Inc. to Google.

A committee chaired by government-appointed Justice B.N. Srikrishna formally put forth a draft Personal Data Bill 2018 on Friday. Broadly, it recommends foreign companies such as Apple Inc. and Uber Technologies Inc. store information locally, and proposes stringent penalties for flouting tighter rules governing how personal data is handled.

India’s embrace of smartphones has triggered an explosion of sensitive information despite a dearth of regulation, fueling concern among privacy activists and citizens groups about potential abuse. Advocates of the bill argue for over-arching regulation to protect the rights of users -- an issue that’s come to the fore since revelations about the leak of data on millions of Facebook users and a series of high-profile cyber-attacks.

Critics however say the proposed legislation will impair the operations of the internet giants and startups that’re helping usher in a digital economy. Companies such as Alphabet Inc.’s Google and Twitter Inc. say they rely on a global information network to most efficiently run their apps. And it’s one more headache for Facebook in what’s its single largest market by users.

“If this becomes law, seamless data transfer between hubs will become a challenge for companies such as Facebook, Google and Twitter, leading to a disjointed experience for their users,” said Suneeth Katarki, founder-partner of Bangalore-headquartered IndusLaw, which consults for clients on the matter. “On the other hand, companies like Google and Amazon will be offered a massive business opportunity for expanding their cloud business in India.”

Srikrishna’s proposals bear similarities to the General Data Protection Regulation imposed in Europe. Ravi Shankar Prasad, minister for information technology, said on Friday the government will consult with lawmakers before it introduces the draft bill -- which runs into over a hundred sections -- to parliament for voting.

As proposed, it requires data localization by companies and that a copy of all personal information be kept on servers within the country. Critical data is to be stored in-country only, while stringent rules apply for cross-border transfers. The committee also recommends the creation of a data protection regulatory authority, and penalties for violations of up to 150 million rupees ($2.2 million) or 4 percent of worldwide turnover in the preceding financial year, whichever is higher.

The draft additionally bans the collecting, recording or disclosure of personal data that identifies individuals. That includes financial, health and genetic data, biometrics, sexual orientation, and political or religious affiliations. Those can only be processed with an individual’s consent or should the government require access under exceptional circumstances.

The draft stipulates that such consent should be explicit and that an individual is free to withdraw that approval. It also grants people the right to access and request corrections of their own data, as well as the ‘right to be forgotten’.

©2018 Bloomberg L.P.