DIGITALEUROPE position on Indian Data Protection Bill 2018
DIGITALEUROPE welcomes the opportunity to submit comments on the draft Indian Personal Data Protection Bill 2018. As the voice of the technology industry in Europe, our association has been deeply involved in the negotiations that led to the adoption of the General Data Protection Regulation (GDPR), which shares similar concepts and approaches with the current Indian draft legislation.
The GDPR negotiations have strived to achieve a complex balance in ensuring strong protection while still enabling innovation and data flows, both within Europe and with foreign jurisdictions. We hope our experience in the drafting of the GDPR – and now its implementation – can help in advising on a Data Protection Bill 2018 that reflects a workable outcome.
Of particular concern to us are provisions aiming to impose data localisation. While the GDPR provides for very detailed instruments for transfers outside the European Economic Area, the objective of the European framework is still that of enabling cross-border data flows, subject to appropriate safeguards, rather than imposing local storage. The different goals of the Bill would not only hurt the Indian economy but ultimately also undermine the privacy and security of Indians’ personal data.
Finally, we note that several key concepts in the draft bill are left to be determined through codes of practice, by the Government or the Data Protection Authority (DPA) well after enactment. This makes the full impact of the proposed law difficult to predict in its entirety, leaving companies unable to shape in detail their compliance programmes as well as their internal practices and processes. DIGITALEUROPE urges that companies should have the necessary time to understand and implement the rules after all these determinations take place. Companies operating in Europe have found that the two-year implementation period foreseen by the GDPR, which was set to allow companies to take all necessary steps, was absolutely essential.