Data bill moots ban on transfer of sensitive personal info abroad
- Personal data means any information – an individual’s particular characteristic, trait, attribute or feature – which may lead to identification of the person
- Companies have often argued that they should have the right to store the data in servers across the globe, adding that any law mandating local storage increases their cost
Violations – including unauthorized processing of personal data -- run the risk of severe financial censure, with the maximum penalty pegged at Rs 15 crore or four per cent of the worldwide turnover (whichever is higher). The exhaustive Bill – accessed and seen exclusively by TOI — follows a detailed report submitted to the government by a committee headed by Justice BN Srikrishna in July this year.
It seeks the formation of a Data Protection Authority to handle the gamut of issues related to the handling of personal information; dealing with companies handling and processing data; and ensuring adherence to rules and regulations that would be notified. And while the Bill – which the government hopes to introduce in the Parliament at the earliest possible opportunity (only a few days left in this session) -- does not bar cross-border transfer of ‘personal data’, it mandates that companies maintain a mirror copy of the information within India and importantly, also seek ‘consent’ of the individual who generates the data.
Personal data means any information – an individual’s particular characteristic, trait, attribute or feature – which may lead to identification of the person.
The bill’s recommendations, especially the one that bars transfer of sensitive personal data, is likely to create discomfort for global internet companies, many of which termed such restrictions as ‘anti-internet’ and ‘impractical’. Companies have often argued that they should have the right to store the data in servers across the globe, adding that any law mandating local storage increases their cost while being detrimental to their overall business interests.
The government, however, seems to think otherwise. While barring transfer of sensitive personal data, the bill even places restrictions on companies when they deal with personal data. “Every data fiduciary shall ensure the storage, on a server or a data centre located in India, of at least one serving copy of personal data.” The bill, in fact, also authorizes the government to “notify categories of personal data as critical personal data that shall only be processed in a server or data centre located in India.” Exemptions may be provided on the “grounds of necessity or strategic interests of the state”, according to the bill.
And while allowing of transfer of personal data, the bill states that such cross-border movement should be allowed only if it is in line with contractual clauses that have been approved by the data protection authority. Also, the transfer needs to be to countries or organisations that have been prescribed by the central government in consultation with the authority.