Indian government has been working on defining what constitutes personal data and what is community data
Multiple government policy drafts have proposed data localisation norms
Draft data protection bill is undergoing a second round of consultations
Ministry of Electronics and Information Technology is likely to deny the Department for Promotion of Industry and Internal Trade’s appeal to include ecommerce data under the purview of its proposed personal data protection bill.
MeitY is said to take the stand that ecommerce data is community data and hence won’t be governed by DPIIT’s personal data protection bill.
According to a media report which cited a government official, “issues related to public data will be dealt with through a separate process once the government has established what constitutes personal data. That will in effect help to define what constitutes public data.”
While the government’s definition of personal and critical data seems to be continually evolving, it is interesting to note that India has declared Right to Privacy as a fundamental right in 2017.
Recently, MeitY was reported to have initiated a second round of consultations through a letter to select stakeholders seeking further clarifications on their earlier feedback to the draft personal data protection bill.
The second round of consultation included questions such as: Can non-personal data such as data from ecommerce sites, and community data be made freely accessible to all? Whether storage of personal data should also be mandated in India?
Government’s Push For Data Localisation
Following the severe cases of fake news and data breaches around the world, the BJP-led government has been aggressively pushing for a data localisation regime in almost all the recently proposed policy changes, including the Amendments to the IT Act, draft ecommerce policy and personal data protection bill.
Given these overlaps, there has been some obvious confusion among the stakeholders. The government is currently looking for ways to simplify its stance based on the nature of the data (personal or community data).
Earlier this month, Prime Minister Office was said to take a stand on the country’s data localisation policies. “The matter is now with the PMO. They will firm up India’s stance on data localisation,” a government official has reportedly said earlier.
Earlier at the G20 Summit, India’s Commerce and Industry Minister, Piyush Goyal said that countries must have sovereign right to use their data including personal, community, and public data, for the welfare of people. He also said that advocating for free trade should not necessarily lead to justification of data free flow.
Draft Data Protection Bill
Indian government has also been mulling over a data protection bill for the last one year. The Draft Personal Data Protection Bill 2018 had defined personal data as any data of a natural person which allows direct or indirect identifiability.
Further, sensitive personal data has been defined as financial data, biometric data, positive additions such as religious and political beliefs, caste, intersex/transgender status, and official government identifiers like PAN etc.
To ensure that Indians are not being affected by any global data breach, the government had proposed data localisation mandate in the bill. It also proposed that one copy of all personal data to which the law applies are to be kept in a server within India.
Further, certain categories of data, which are to be specified by the government as critical personal data are to be stored in India alone. At the same time, requirements for cross-border transfer of data are also imposed.
The bill had been opened for public consultations before and had received around 600 responses from a diverse set of stakeholders.