Amid the ongoing concerns of privacy breaches and data theft, the government is now planning to allow internet giants to store and process Indian users’ non-personal data on international servers.
According to a TOI report, non-personal data from users based on transactions which could include things like what they order, where they transact online and which payment method they used can be stored and processed on international servers under the Personal Data Protection Bill (PDP) which has received the cabinet approval. The bill will be taken to Parliament for approval soon.
While the original draft of the bill proposed these internet companies such as Google, Facebook, Amazon, among others, to store a copy of this information in India, the new draft has come up with no such provisions.
Although the proposed bill lays out no such data localisation provisions for non-personal data, it does mandate that companies store sensitive personal data within the boundaries of India. Personal data refers to any data of a natural person which allows any third-party to directly or indirectly identify them, to store in the country. Sensitive personal data includes financial data such as UPI ID, card details, biometric data, positive additions such as religious and political beliefs, caste, intersex/transgender status, and official government identifiers like PAN, Aadhaar as well as the actual name, phone number and email address.
The government has also made it mandatory for companies to store critical data locally, which the government may update from time to time and might include information related to national security, military and other sensitive topics.
Data Protection Authority
The PDP Bill also proposes the establishment of a Data Protection Authority to monitor violations of norms and keeping an eye on incidents of data theft, privacy breaches, among others.
The bill also mandates various penalties for violations of norms and incidents of data theft and illegal processing. For violation of certain proposed norms, the bill mandates a penalty of INR 5 Cr or 2% of global turnover, whichever is higher, while for data leakage or illegal processing, it stipulates the highest penalty of INR 15 Cr or 4% of the turnover.
Moreover, for serious incidents of data breaches or privacy violations, the bill even proposes arrest and jail terms for senior officials from the top management of the violating company which might extend up to three years.
The media report added that the government might have allowed international companies to process non-personal data of Indian users’ on their global servers to prevent a backlash against Indian IT companies doing outsourcing business abroad. It could have also seen the merits of the arguments posed by tech companies in this regard during the feedback phase.