At a time when the concerns around data security and safety continue to be a major cause for concern, the Union Minister of IT and Telecom, Ravi Shankar Prasad has said that the data protection bill is a work in progress and the government is seeking some additional clarifications.
It is to be noted that the Indian government has also been mulling over a data protection bill for the last one year.
The Draft Personal Data Protection Bill 2018 had defined personal data as any data of a natural person which allows direct or indirect identifiability. Further, sensitive personal data has been defined as financial data, biometric data, positive additions such as religious and political beliefs, caste, intersex/transgender status, and official government identifiers like PAN etc.
To ensure that Indian are not being affected by any global data breach, the government had proposed data localisation mandate in the bill. It also proposed that one copy of all personal data to which the law applies are to be kept in a server within India.
And this data localisation has erupted multi-directional approach from global and local companies. While tech giants such as Facebook and Google have raised flags on data localisation, the Indian companies have supported such localisation requirements.
Speaking at the ET startup awards, Prasad has now said, “We are seeking clarification with some prominent people in the field. India must become an important centre of data analytics. We need to balance between data availability, data privacy and data anonymity.”
He added that India needs to draw a distinction between personal and impersonal data. Impersonal data, according to Prasad, can be used for good. Further, he emphasised that Prime Minister Narendra Modi will never compromise on India’s data sovereignty.
Under this, the data localisation rules to be imposed under Section 40 emphasise that one copy of all personal data to which the law applies are to be kept in a server within India.
Further, certain categories of data, which are to be specified by the government as critical personal data are to be stored in India alone. At the same time, requirements for cross-border transfer of data are also imposed.
Under Section 32 of the data protection bill, data breach notifications have to be made to the Data Protection Authority of India (DPA) only if the breach is likely to cause ‘harm’ to the data principal.
Governments across the world are drafting and implementing laws around the flow of data. Countries such as Japan, Korea, and New Zealand have already passed data protection laws based on the principle of data localisation.
After the Facebook-Cambridge Analytica scandal, regulators around the world are looking for ways to be more proactive than reactive to the power of data. With very little precedent in terms of policy and laws, this has led to increased tensions between governments and tech companies.