Mage Data strengthens its data security posture with the ISO 27001 certification. READ MORE >

May 18, 2022

What Businesses Need to Know About India’s Data Protection Bill, 2021

While India doesn’t yet have a data protection law, it has been working on one since 2019. The most recent version of the bill, Data Protection Bill, 2021 (DPB), contains several changes from previous versions, and it diverges in some interesting ways from similar laws addressing data privacy in other countries.

Note that, as of this writing, the bill is still in active consideration and review. Before it becomes law, there may be substantial changes to the requirements. Consequently, it may be wise to prepare for these changes if you do substantial business in India. However, you should continue to monitor updates to the bill as it approaches completion and wait to finalize your process until after the bill has passed and become law. With that in mind, here’s what your business needs to know about India’s Data Protection Bill, 2021.

Scope of India’s Data Protection Bill, 2021

One of the biggest divergences from most other data privacy laws is the way in which the DPB categorizes data. In addition to distinguishing personal and non-personal data, the DPB adds subcategories of personal data in the form of “sensitive” and “critical” personal data, each with unique processing requirements. Unlike many other laws, it also has provisions for processing and storing non-personal data, which means that nearly all data that a company gathers could be subject to some regulations.

It also differs from most laws in that de-identification or the masking of data points to conceal the identity of the person who produced the data doesn’t provide an exception from regulation. As the law currently stands, “de-identification is a mandatory security safeguard.” Right now, data masking is primarily an action companies take because they have a use case that would be simpler under current legislation if the data were masked. However, masking data at rest is a great security measure that lessens the impact of breaches and leaks. While India’s DPB is at the forefront of requiring this type of security, even businesses without a presence in India should start using this technology as soon as possible, as other countries will likely adopt data masking as a requirement.

Inclusion of hardware

Another significant way the DPB diverges from previous data protection laws is that it regulates hardware that collects data. Like other parts of this article, this isn’t fully set in stone yet and was only proposed for the first time in December 2021. Per this proposal, the bill would be modified to require the government to “establish mechanisms to provide formal certification of integrity, trustworthiness, and security of hardware and software for all digital and IoT devices.”

The decision to include hardware in data privacy regulations makes sense intuitively. After all, your policy and software protections don’t mean a lot if your hardware is compromised. However, requiring certification of hardware components will likely lead to headaches for businesses, especially if the final scope of included parts is as broad as stands right now. Businesses that collect or process a ton of data from India or Indian nationals should consider building some space into their budgets in preparation for the certification and upgrade costs associated with this move.

Consent and its exceptions under the DPB

Consent is the cornerstone of most data privacy laws, as they require companies to obtain it before gathering and processing any data. The DPB is still built upon this principle, but it contains far more exceptions to its rules about consent than many similar laws. For example, consent isn’t required when:

  1. The government is using it to:
    1. Perform state functions
    2. Produce compliance with court-related actions
    3. Respond to medical emergencies
    4. Provide health services during epidemics
    5. Provide safety during a disaster or breakdown of public order
  2. A company is using it for:
    1. employment-related purposes, where it is reasonable to expect data to be used
    2. corporate restructuring
    3. network or information security
    4. debt recovery
    5. operating search engines

While there are few more niche cases in which businesses can process data without consent, the fact remains that the way the bill is currently structured creates some large loopholes relative to other countries’ approach.

Right to be forgotten

As the bill currently stands, a GDPR-style “right to be forgotten” is included in the text. However, a recent court case suggests that a portion of the bill may not stand, even if passed into law. In 2021, India’s Supreme Court ruled that “public interest” overruled the right to privacy in a case where a man sued to have his records expunged after he was acquitted of a crime. This case suggests that there could be carve-outs to this bill before it is passed or changes made by legal action after the fact that reduce the situations in which companies will be required to honor a right to be forgotten.

Still, while a right to be forgotten isn’t included in all data privacy laws globally, it does stress the importance for companies of being able to track which data relates to which users. Keeping track of what data corresponds to which user is essential for providing inspection and deletion of the appropriate data when a user requests the action. Because these tasks are already a key part of the GDPR, businesses in Europe should already be able to perform these actions and risk heavy fines if they haven’t yet gotten into compliance.

How Mage helps businesses with India’s Data Protection Act

Because there are still many ways in which India’s Data Protection Act could evolve before it’s passed, it might not be time to start actively shaping your systems for compliance with the specifics of this law. But it will pay to start laying the groundwork, no matter what the law ultimately contains—and taking steps to keep your company safe. This is especially true as more and more countries pass new laws concerning data privacy each year, such as the GDPR in Europe or the CCPA in the U.S. State of California.

Mage helps companies achieve compliance with data privacy laws right now. Whether that’s using its proprietary AI-driven personal data identification tools or using its powerful dynamic data masking suite to keep data restricted to the right people, it has the tools your business needs to ensure that data is kept safe and sound. Schedule a demo today to see what Mage can do for your business.