Indian Personal Data Protection Act, 2018: Draft Bill and Its History, Compared to EU GDPR and California Privacy Law

19 Pages Posted: 1 Oct 2018  

Lothar Determann

Baker & McKenzie LLP; Freie Universit├Ąt Berlin; Berkeley School of Law; University of California Hastings College of the Law

Chetan Gupta

Baker McKenzie LLP

Date Written: September 3, 2018

Abstract

2018 is a big year for data privacy and data processing regulation. On July 27, 2018, India published a draft bill for a new, comprehensive data protection law to "be called the Personal Data Protection Act, 2018," only a few weeks after the European Union General Data Protection Regulation (GDPR) took effect on May 25, 2018 and California enacted the California Consumer Privacy Act of 2018 at the end of June. Brazil already followed with a new General Data Protection Law (Law No. 13,709/2018) only a few weeks later, on August 14, 2018.

With the new law, the Indian government responds to a mandate from the Indian Supreme Court, which had directed the government of India in August 2017 to enact comprehensive data protection legislation. Before the Personal Data Protection Act becomes effective in India, there is no omnibus data protection regulation as in Europe, nor are there detailed sectoral privacy laws as in the United States.

The new Indian Personal Data Protection Act adopts and further develops many existing principles of EU-style data processing regulation and some aspects of U.S.-style data privacy laws. Global companies can, and should try to, address the requirements of the new Indian Data Protection Law, the GDPR, the California Consumer Privacy Act and other privacy regimes simultaneously and holistically, in the interest of efficiency. But, it is also clear that companies cannot just expand the coverage of their GDPR-focused compliance measures to India without addressing the nuances of the new Indian Personal Data Protection Act, and the many differences compared to other jurisdictions' data processing regulations and data privacy laws.

It is noteworthy that India is not maintaining its status quo, pursing lighter regulation, or following the U.S. approach of sectoral, harm-specific protections for individual privacy, in which the Silicon Valley rose to world leadership in information technologies and the broader U.S. technology sector flourished. Instead, India is leaning heavily towards the European model of restrictive data processing regulation. This shift could well affect India's globally leading information technology sector.

In our article, we review the history and political context of the draft bill, summarize its key provisions, and compare them to the EU GDPR and the California Consumer Privacy Act.

Keywords: Data Privacy, Data Protection, Indian Personal Data Protection Act, Constitution

Suggested Citation

Determann, Lothar and Gupta, Chetan, Indian Personal Data Protection Act, 2018: Draft Bill and Its History, Compared to EU GDPR and California Privacy Law (September 3, 2018). Available at SSRN: https://ssrn.com/abstract=3244203 or http://dx.doi.org/10.2139/ssrn.3244203

Lothar Determann (Contact Author)

Baker & McKenzie LLP ( email )

660 Hansen Way
Palo Alto, CA 94304-1044
United States
6508565533 (Phone)

Freie Universit├Ąt Berlin ( email )

Kaiserswerther Str. 16-18
Berlin, 14195
Germany
+49 (0) 30 838-70000 (Phone)

Berkeley School of Law ( email )

2850 Telegraph Avenue
Suite 500
Berkeley, CA 94704
United States

University of California Hastings College of the Law ( email )

200 McAllister Street
San Francisco, CA 94102
United States

Chetan Gupta

Baker McKenzie LLP ( email )

United States

Register to save articles to
your library

Register

Paper statistics

Downloads
29
Abstract Views
233
PlumX