India follows aspects of the EU’s General Data Protection Regulation
The Indian government looks set to legislate a Personal Data Protection Bill (DPB), which would control the collection, processing, storage, usage, transfer, protection, and disclosure of personal data of Indian residents. Despite its regional nature, DPB is an important development for global managers. The digital economy in India is expected to reach a valuation of $1 trillion dollars by 2022 — and it will attract numerous global players who must comply with DPB.
India has followed the EU’s General Data Protection Regulation (GDPR) in allowing global digital companies to conduct business under certain conditions, instead of following the isolationist framework of Chinese regulation that prevents global players like Facebook and Google from operating within its borders. Yet, Indian DPB carries additional provisions beyond the EU regulation. Because India is a nation-state, it would treat the data generated by its citizens as a national asset, store and guard it within national boundaries, and reserve the right to use that data to safeguard its defense and strategic interests.
There are a number of features of the DPB that will require companies to change their business models, practices, and principles. Many others will add operational costs and complexity. The issues we raise here serve as a primer for what businesses need to keep in mind about India’s new regulation and the increase in data protection regulation around the world. Understanding these issues will help digital companies plan ahead, address future regulations, and decide whether to enter or exit certain markets. [read more]