India’s union cabinet headed by Prime Minister Narendra Modi, on Wednesday (December 4), approved the Personal Data Protection Bill, which aims to ensure the protection of personal data and sensitive personal data.
Information and broadcasting minister Prakash Javadekar said that the PDP Bill will be introduced in the Parliament during the current winter session. The speculation is that the Bill may contain broad guidelines on the collection, storage and processing of personal data, consent of individuals, penalties and compensation, code of conduct and an enforcement model.
The draft Personal Data Protection Bill was introduced in 2018 by the Srikrishna Committee and had defined personal data as any data of a natural person which allows direct or indirect identifiability. Personal data refers to any data of a natural person which allows direct or indirect identifiability. Sensitive personal data includes financial data, biometric data, positive additions such as religious and political beliefs, caste, intersex/transgender status, and official government identifiers like PAN etc.
The government held the second round of consultations on the same in August 2019, and the industry raised several concerns for the same. Recently, in a stakeholder discussion hosted by the Internet and Mobile Association of India (IAMAI) it was suggested to enhance ease of doing business, companies should be permitted to self-determined reasonable purposes of data processing.
Further, it was suggested that all legal bases for collecting, using and disclosing personal data should be treated equally instead of relying on consent as the primary ground for processing personal data.
To ensure that Indian citizens are not being affected by any global data breach or cyber-attack, the government had proposed data localisation mandate in the bill. It also proposed that one copy of all personal data to which the law applies are to be kept in a server within India.
Further, certain categories of data, which are to be specified by the government as critical personal data are to be stored in India alone. At the same time, requirements for cross-border transfer of data are also imposed.