Business Standard, November 18, 2022
The government on Friday released for public consultation a revised version of the personal data protection Bill, which prescribes penalties ranging up to Rs 250 crore for data fiduciaries on account of failing to take safeguards to prevent personal data breaches.
Released more than three months after discarding the previous draft, the new one has eased the data localisation mandate of the earlier version, which had alarmed many big multinational technology companies.
The central government will, “after an assessment of such factors as it may consider necessary”, notify a list of countries or territories outside India to which the transfer of personal data will be allowed.
“The Bill is structured horizontally, so it is sector- and technology-agnostic. The RBI, for instance, can have its own regulations,” Ashwini Vaishnaw, union minister for electronics and information technology, told Business Standard.
Rajeev Chandrasekhar, minister of state for electronics and IT, said, “(The Bill) is a piece of modern legislation that achieves the seemingly contradictory objectives of data protection for our citizens, ease of doing business for industry, and public interest of efficient governance and national security.
Extensive consultation and inputs will be sought from all stakeholders in coming months as per honourable PM Narendra Modi ji’s vision of stakeholder-driven policy and law formulation.”
Several public advocacy groups and industry stakeholders have welcomed the new draft.
Before taking up anybody’s data, a fiduciary must give the person/entity an itemised notice containing a description of the personal data sought and the purpose of the processing of such personal data.
The Ministry of Electronics and Information Technology (MeitY) said the Bill would be open for public consultation until December 17, while the final version is expected to be tabled in the Budget Session of Parliament next year.
The draft Bill allows the Central government to appoint an independent “Data Protection Board of India”.
The board will determine non-compliance with provisions of the Bill and also decide on penalties for it. The details about the strength and composition of the board as well as the process of selection, terms, and conditions for appointment and removal of members of the board have not been given in the Bill.
A senior advocate of the Supreme Court said: “As compared to the 2019 Bill this is more crisp and focused. The Bill has taken a u-turn on data localisation requirements. The Reserve Bank in 2018 had taken the stand that all the banking data of the Indians needed to be in India … that now gets watered down. We need to come up with an approach that has a harmonious balance between the protection of sovereign interests and the protection and preservation of individual liberties.”
A senior official of an international industry body said: “Even though the new document seems to be simplified and progressive, the Central government has kept with itself exceptional powers.”
The new draft has exempted non-automated processing of personal data and offline personal data.
Rama Vedashree, an expert on data security, said this provision should have been reconsidered.
Amol Kulkarni, Director (Research) at CUTS International, said: “The draft provides significant unreasonable discretion to the Central government to notify trusted countries for the transfer of personal data outside India, without necessary procedural safeguards. It also empowers the Central government to exempt instrumentalities of state from its provisions without adequate checks and balances …”
Atul Keshap, president and ambassador (retd) of the US-India Business Council (USIBC), said: “We think the Bill has significant potential, especially with its emphasis on promoting cross-border data flows among trusted partners.”
A spokesperson of ITI Council, an industry body representing global tech companies, said: “We look forward to engaging with the government on its draft.”
This news item can also be viewed at: