In a major concession to overseas players, the Union Cabinet on Wednesday, while approving the Personal Data Protection Bill, dropped the clause that required storing a mirror copy of all personal data within the country. Once the Bill is approved by the Parliament — it will be introduced in the current session — firms dealing in such data can store and process them abroad. This is a departure from the recommendations of the Justice Srikrishna committee which had said that while personal data can be processed and stored abroad a mirror copy needs to be stored in India.
The US-based companies and the European Union had expressed reservations on this aspect and had even written to the government expressing their concerns.
However, critical personal data and data which are categorised as sensitive will need to be stored and processed in the country and here there will be no such provision of just keeping a mirror copy within the country.
In the case of sensitive data, processing can be done outside with the explicit consent of data owner. Sources said that the government will frame the definition of critical personal data and what all will fall within it.
The Srikrishna committee had said that critical/sensitive data will include passwords, financial data, health data, official identifier, sex life, sexual orientation, biometric and genetic data, and data that reveals transgender status, intersex status, caste, tribe, religious or political beliefs or affiliations of an individual.
However, it had added that the government should define critical personal data. “The Central government should determine categories of sensitive personal data which are critical to the nation having regard to strategic interests and enforcement requirements,” the report had said.
Sources said that companies may face a penalty of up to Rs 15 crore or 4% of global turnover for major violations under the proposed personal data protection law. “In case of major violations, the Bill proposes penalty of up to Rs 15 crore or 4% of global turnover (whichever is higher). For minor violations, penalty of Rs 5 crore or 2% of global turnover is proposed,” a source said.
Social media companies will be required to come up with a mechanism to track users on their platform who are willing to be identified on voluntary basis. The Bill has provisions to grant right to be forgotten to data owners as well as right to erase, correct and porting of data.
In its responses to the Srikrishna committee report, the European Union had said that the Indian government should not stress on data localisation as apart from being unnecessary and potentially harmful to the cause of data protection any such measure would create unnecessary costs, difficulties and uncertainties that could hamper business and investments.
When the draft data protection Bill, as drafted by the Srikrishna panel, was put out in public domain, the European Union had said, “As a matter of economic policy, such an approach (data localisation) will create significant costs for companies — in particular, foreign ones — linked to setting up additional processing/storage facilities, duplicating such infrastructure etc and is thus likely to have negative effects on trade and investment. If implemented, this kind of provision would also likely hinder data transfers and complicate the facilitation of commercial exchanges, including in the context of EU-India bilateral negotiations on a possible free trade agreement.”
