The ministry of electronics and IT (MeitY) is preparing a Cabinet note for the data protection Bill and a final consensus was required for it.
The government, which is aiming to introduce the data protection Bill in the ongoing Parliament session, is not going to dilute the localisation mandate for critical personal data despite pressure from the US and other global technology giants.
While the draft personal data protection Bill does not insist on personal data of residents of India to be stored only in India, it has made an enabling provision where the government can notify categories of personal data as critical data which would be only stored in India. For personal data, at least a copy should be stored in India.
The technology industry has been voicing concern around mandatory localisation of critical data as it feels government officials will move on an ad hoc basis, which creates a lot of uncertainty.
The debate around localisation gained momentum prior to the visit of US secretary of state Mike Pompeo to India. According to sources, in order to finalise its stand on data protection, on June 22, home minister Amit Shah held a meeting with IT minister Ravi Shankar Prasad and senior officials of the ministries of IT and home and some enforcement agencies.
The ministry of electronics and IT (MeitY) is preparing a Cabinet note for the data protection Bill and a final consensus was required for it. “We are not deviating from the draft Bill when it comes to localisation,” a source in the government said.
A committee headed by ex-judge BN Srikrishna had last year given a set of proposals for a personal data protection law to the government. The Bill, based on the recommendations of the committee, has put in strong conditions for cross-border transfer of personal data. Only the Central government can prescribe the permissibility of transfers where it finds that the relevant personal data shall be subject to an adequate level of protection.
The mandatory localisation of personal data had drawn mixed reactions with privacy advocates cheering the move but industry, especially in the field of information technology, terming it as a trade barrier.
The draft Bill has mandated that explicit consent must be taken for processing sensitive personal data like biometrics, sexual orientation, and religious or political belief. Sensitive personal data comprises passwords, financial data, health data, sex life, sexual orientation, biometric data, genetic data, caste or tribe and religious or political belief or affiliation.
The Bill had also proposed stringent penalties in case of any violation or misuse of personal data by public or private entities. For instance, if a data fiduciary, which can be a person, company or state, processes personal data in contravention of the Act, it would be liable to a penalty of up to `150 million or 4% of an entity’s total worldwide turnover in the preceding financial year, whichever is higher. If the data fiduciary fails to take prompt action in response to a data security breach, it would be liable to pay up to `50 million or 2% of its total worldwide turnover, whichever is higher.