The revised version of the much-awaited Personal Data Protection Bill, which will be tabled in the Parliament soon, was circulated among the parliamentary members yesterday. Contrary to expectations, the revised language in the bill lets companies transfer and process user data — including sensitive personal data — outside India after taking explicit consent from the user.
However, the bill maintained its stance on data localisation and noted that the sensitive personal data needs to be stored within India as well. Sensitive personal data definition includes financial data, health data, biometric data, sexual orientation, transgender status, genetic data, caste or tribe, religious or political belief and more.
Further, the bill has proposed that companies should delete any personal data collected from data principals or users once the purpose of the data processing is completed. However, this retention period can be extended by taking explicit consent of the user.
The only restriction on processing of data outside India has been applied to critical personal data, a data categorisation that will be defined by the central government. At the moment, there is no definition for what constitutes critical data.
Interestingly, while companies have a lot of restrictions in terms of consent gathering, state agencies would not need such consent for processing personal data.
Why Is Personal Data Protection Bill Important?
As internet penetration spreads across the globe to include more than half of humanity and India accounts for 12% of these 3.8Bn internet users — the concerns around data protection and cybersecurity have also taken pace. Today, smart devices powered by fast internet networks are collecting and storing data about every user action and behaviour from song preferences to viewership patterns, to health statistics and much more.
In such a world, the governance of how this data is stored and processed becomes indispensable. Thus, countries around the world have started to pay attention on creating data-related laws and policies.
The bill had then been opened for public consultations and had received around 600 responses from a diverse set of stakeholders. Following which, various state governments, global companies and the US government had criticised India’s data localisation proposals, claiming that certain policy proposals are discriminatory and trade distortive.
Later in August 2019, MeitY initiated a second round of consultations through a letter to select stakeholders seeking further clarifications on their earlier feedback to the draft personal data protection bill.