Indian Personal Data Protection Act, 2018: Draft Bill and Its History, Compared to EU GDPR and California Privacy Law

Abstract

2018 is a big year for data privacy and data processing regulation. On July 27, India published a draft bill for a new, comprehensive data protection law to be called the Personal Data Protection Act, 2018, only a few weeks after the European Union General Data Protection Regulation (GDPR) took effect on May 25, 2018 and California enacted the California Consumer Privacy Act of 2018 at the end of June. Brazil already followed with a new General Data Protection Law (Law No. 13,709/2018) only a few weeks later, on August 14, 2018. With the new law, the Indian government responds to a mandate from the Indian Supreme Court, which had directed the government of India in August 2017 to enact comprehensive data protection legislation. Before the Personal Data Protection Act becomes effective in India, there is no omnibus data protection regulation as in Europe, nor are there detailed sectoral privacy laws as in the United States. The new Indian Personal Data Protection Act adopts and further develops many existing principles of EU-style data processing regulation and some aspects of U.S.-style data privacy laws. Global companies can, and should try to, address the requirements of the new Indian Data Protection Law, the GDPR, the California Consumer Privacy Act and other privacy regimes simultaneously and holistically, in the interest of efficiency. But, it is also clear that companies cannot just expand the coverage of their GDPR-focused compliance measures to India without addressing the nuances of the new Indian Personal Data Protection Act, and the many differences compared to other jurisdictions' data processing regulations and data privacy laws. It is noteworthy that India is not maintaining its status quo, pursing lighter regulation, or following the U.S. approach of sectoral, harm-specific protections for individual privacy, in which the Silicon Valley rose to world leadership in information technologies and the broader U.S. technology sector flourished. Instead, India is leaning heavily towards the European model of restrictive data processing regulation. This shift could well affect India's globally leading information technology sector. In our article, we review the history and political context of the draft bill, summarize its key provisions, and compare them to the EU GDPR and the California Consumer Privacy Act.