The Path to Recognition of Data Protection in India: The Role of the GDPR and International Standards

By providing rules of the road for data processing, data protection legislation has become a key enabler of the information society. The European Union’s General Data Protection Regulation (GDPR) has been highly influential around the world, and the recent Schrems II judgment of the Court of Justice of the EU, which strengthened restrictions on international data transfers under EU law, has important implications for India as it prepares to adopt data protection legislation. While the Puttaswamy judgment that recognised privacy as a fundamental right represents a great stride forward for privacy protection in India, legislation is necessary to establish the right to data protection in the Indian legal system. The proposed Personal Data Protection Bill does not provide a sufficiently high standard of data protection, particularly in light of surveillance initiatives and legal mandates to collect data under Indian law. India should view the strengthening of its legal framework for data protection not just as a way to receive an EU adequacy decision, but also as having broad societal benefits. In adopting data protection legislation India should align itself both with the GDPR and also more broadly with data protection standards of important international bodies, such as those of the Council of Europe and the OECD.