Data Privacy Detective Podcast Episode 38 - India and Data Privacy, Get Ready!

June 21, 2019
Data Privacy Detective Podcast

India is about to enact a comprehensive data privacy law that will force global and Indian businesses to revise their approach. Stephen Mathias, Co-Chair of the Tech Team at Kochhar & Co., one of India’s premier law firms, explains how India will shift from relatively lax regulation of data privacy to one of the world’s most protective regimens once the new bill is enacted.

India has existing laws including the Information Technology Act of 2000 and a 2011 Act addressing security practices and sensitive personal data procedures, but nothing as far-reaching as the European Union’s GDPR. That is about to change. With India’s national elections concluded in May 2019 through basic continuity of government, the draft bill is expected to be finalized and enacted in 2019. The draft bill resulted from a 2017 decision of the Indian Supreme Court, which held that Article 21 of the Indian Constitution expresses a fundamental right of privacy that must be protected through appropriate legislation.

While the draft bill follows GDPR in its basic scope and approach, there will be significant differences. Consent will be a far more primary basis for collecting and processing personal data than is so under GDPR (where legitimate interest is a broad alternative to express consent). Data localization will be different. The draft bill expresses three categories of data that will require some degree of data localization, keeping data at least one server within India. Taken to the extreme, data localization could jeopardize the business of the important tech sector of India that handles non-Indian data for global companies. The final stage of the draft bill’s revision will reveal if an appropriate balance is struck between data localization and the age of the cloud (no one claims territorial ownership of the cloud!).

Should business wait for the final act’s approval? The advice is to get ready now. Globally involved businesses should review their existing policies, procedures and platforms. Any company collecting or processing personal data of Indian citizens and residents or having data managed by Indian BPO or other companies should get a head start in order to achieve timely compliance for what is the world’s fastest-growing large economy with one of the largest and most important populations – India.

If you have ideas for more interviews or stories, please email