There are reports on 04 December 2019, in the media that the Union Cabinet of India has approved the Personal Data Protection Bill. The Bill, which proposes a framework for processing of personal and private data by public and private entities, is expected to be introduced in the Parliament for consideration and passing in this Winter Session.
The Original Personal Data Protection Bill
The Personal Data Protection Bill of India was proposed In-line with the European Union’s General Data Protection Regulation (GDPR). The draft bill, titled “The Personal Data Protection Bill, 2018”, was prepared by a panel led by former Supreme Court judge Shri BN Srikrishna. It proposes rules on collection, processing and storage of personal data, individuals’ consent, penalties and compensation, code of conduct and an enforcement model.
After the news of the Cabinet Approval to the Bill, It is unclear if the approved Bill has been tweaked to accommodate the U.S. and India lobby groups, that may have used their clouting to arm-twist India into agreeing on Data Localisation rather than Data Sovereignty, when the proposal of mandatory storage of data on Indian soil was proposed in the original draft.
The Tweaked Personal Data Protection Bill
The reports in the media, has been quite contradicting; it said that the Internet Giants can now store personal data, such as one’s online purchases, destinations one visited and details of shopping etc., can be freely taken abroad and stored and processed. They do not need to keep a mirror copy of this information in India.
This is in complete contradiction to the original proposal: wherein the service providers were to also maintain a mirror copy of all (both sensitive personal and non-sensitive data) on Indian soil. The Bill now proposes that it is mandatory for the firms to store sensitive personal information on servers located only in India, with no mention of provision for non-sensitive data; which they can store outside India, even without maintaining a copy of it within India.
Certain reports mention that the compulsions for the Government to carry out this tweaking, was also to accommodate the reciprocal interest of Indian IT companies who do business abroad. The compulsory storage of data in Indian Soil may also impact the cost factor of companies providing these services as also the migration of jobs across countries.
It is worth a mention here that the classification of data into ‘Sensitive Personal Data’ and ‘Non-sensitive Data’ is again a matter of perception, and can never be without controversies.
(Note: There are many countries like Russia, China, Germany, France, Indonesia, and Vietnam (to name a few) that follow mandatory ‘Data Sovereignty Law‘ over ‘Data Localisation Law’, in which it is requires that their citizen’s data should be compulsorily stored on physical servers within the country’s borders)
Provisions of Penalty
The Government in the revised bill has also proposed penalty of up to Rs 15 crore or four per cent of the global turnover (whichever is higher) on companies that violate the Personal Data Protection law. For minor violations, the penalty will only be Rs 5 crore or two percent of global turnover.
Here again the demarcation of the types of violation (or classification of violation) is difficult and it is purely based on ambiguous interpretation.
Definition of Data Localisation and Data Sovereignty
Data Localisation: Data Localisation laws are regulations enforcing how data can be processed in a certain territory.
Data Sovereignty: Data Sovereignty refers to data being hosted in a particular country, whereby the country or state laws applies.
The proposed law is likely to impact multi-national corporations operating in India. The management of these data and also presenting stake holders to the government and representative for interaction with government agencies is now enforceable on these service providers. It is also obvious that the government is entitled to get access to non-personal data to provide better services to citizens. For instance, the government can use non-personal or anonymous data for research or any other purpose. The government has also contended that “No personal data will be processed except for specific clear and lawful purpose that is available on social media and other platforms”.
As there is a lot of uncertainty and speculations in the air, it will be preemptive to arrive at any conclusion on aspects related to ‘Privacy Rights’ and also ‘Bias towards the service provides’. The Bill will be officially out by the end of this parliament session that is in progress, and further the bill will be liable to judicial scrutiny and review. So let us wait and watch.