Peter Fleischer compares the EU definition of “sensitive personal data” to the definition in India’s new law and finds the EU definition lacking:
The European Data Protection Directive defines them as:
“personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of data concerning health or sex life.”
[…]
Now, for comparison, here is India’s just revised categories of “sensitive” data:
“unless freely available in the public domain or otherwise available under law, SPDI under the Rules is personal information which consists of information relating to:
password,financial information such as bank account, credit or debit card details as well as other payment instrument details,
physical, physiological and mental health condition,
sexual orientation,
medical records and history,
Biometric information (a defined term including fingerprints, eye retinas and irises, voice and facial patterns, hand measurements and DNA),
Any detail relating to the above when supplied for providing service, and
Any of the information described above received by an organization for processing, stored or processed under lawful contract or otherwise. “
Read more on Peter Fleischer: Privacy…?