Since the Indian Supreme Court ruled that privacy is a fundamental right under the Indian Constitution, the government has been working to develop a comprehensive privacy and data protection framework. A first version was published in 2018 for consultation. Based on this draft, ESOMAR together with the Indian association MRSI, gave an initial analyse on the implication for data, research and insight community.
Since the initial draft, almost a year has passed and a new version of the law has recently been brought to the national parliament. This version has some significant changes compared to the consultation draft. The overall approach remains the same, in the sense that it remains a general privacy bill, which gives citizens (data principal) certain rights and only allows for organisations (data fiduciary) to process personal data under certain legal bases. Its structure thus follows similar laws to Europe’s GDPR and Brazil’s LGPD.
One of the major changes is that social media platforms are now seen as significant data fiduciaries, which means that they will have to comply with the obligations to execute data protection impact assessments, create a register of data processing activities, audit their policies, and appoint a data protection officer. The new draft also requires the social media platforms to offer their users an option to verify their identity and have this published on their profile.
Another big change is the introduction of a much stronger Right to Erasure. When the data is no longer needed for the purpose it was originally collected, the data principal has the right to have the data deleted. This goes beyond the Right to be Forgotten, as there is no balancing of other rights such as the right to information or the right of freedom of speech which is foreseen for the Right to be Forgotten.
The provisions around Privacy by Design have also been significantly expanded, now offering the possibility to have the policy certified by the Authority. Once certified the policy should be made public.
The new version of the law has now moved to the lower chamber of the Indian Parliament, the Lok Sabha, where it will be discussed in the coming weeks. ESOMAR will continue to monitor the developments and keep you updated. Do you need more in-depth, hands-on data privacy guidance? Check out our ESOMAR Plus service!
