12,352.35-3.15
Stock Analysis, IPO, Mutual Funds, Bonds & More

Government localises ‘critical’ & ‘sensitive’ personal data

There’s no restriction on other kinds of personal information, partially taking into account the demands of global companies such as Google and Facebook, while aiming to safeguard data sovereignty. The Bill, which has not been made public yet, will be introduced in the current session of Parliament on “priority”.

Updated: Dec 05, 2019, 12.21 PM IST
0Comments
Getty Images
data-protection-Getty
India is fast becoming the world’s largest data market with close to 450 million internet users, second only to China, and there is a growing focus on protecting India’s data assets and their monetisation.
NEW DELHI | BENGALURU: The Personal Data Protection Bill proposes that all “critical” information related to individuals will be stored and processed only in India, while all “sensitive personal data” has to be stored in the country but can be processed outside subject to certain conditions.

There’s no restriction on other kinds of personal information, partially taking into account the demands of global companies such as Google and Facebook, while aiming to safeguard data sovereignty. The Bill, which has not been made public yet, will be introduced in the current session of Parliament on “priority”, said a top government official. It was cleared by the Cabinet on Wednesday.

Social media firms must put in place systems to verify users and rein in trolling and misinformation, says the Bill.

The legislation has retained the provisions in the draft framed by the Justice BN Srikrishna panel on storing “critical” and “sensitive personal data” in the country while enabling free flow of other information. Sensitive personal data covers financial, health and genetic information, apart from biometrics, religious beliefs and affiliations.

Such data can be processed outside the country with the consent of the individuals concerned or under contractual clauses that have been approved by the Data Protection Authority.

India is fast becoming the world’s largest data market with close to 450 million internet users, second only to China, and there is a growing focus on protecting India’s data assets and their monetisation.

“The government wants the widest debate on the proposed Bill before the parliamentary process,” said the official, adding that it creates an ecosystem of robust data processing in the country. This will be used for objectives such as prevention of offences, creation of new technologies and so on, he said.

Justice Srikrishna welcomed the development and said he expected a vigorous debate on the law.

1

“I am happy that the Bill has been cleared by the Cabinet,” he told ET. “I expect that perhaps it will go to a select committee (of Parliament). It is too complicated an issue to be passed with little debate.”

The Bill has retained most of the framework suggested by the committee, including the consent framework, establishment of a Data Protection Authority and an appellate tribunal.

In order to make social media companies more “responsible”, they will have to devise a mechanism by which users can voluntarily verify themselves. Users who don’t want to be part of this process will be clearly flagged. This will help detect fake user accounts engaged in trolling or spreading misinformation, the official said.

“Companies will have to devise ways to do it,” he said. “It will make them more responsible. How to conduct the verification and whether there has to be a KYC (know your customer) or not will be decided later.”

ANONYMISED DATA
The Bill gives the government power to direct any data fiduciary to give anonymised data for better targeting of services and information — such as the number of cars on ride-hailing platforms like Uber — for improved policies and governance.

A committee on non-personal data headed by Infosys cofounder Kris Gopalakrishnan will identity the categories and types of such information and their reach, said the official. “It’s a fine blend of the right of Indians to operate on social media but in a responsible manner.”

The Srikrishna committee, which submitted the draft Personal Data Protection Bill to the government in July 2018 after a year-long consultation process, had recommended that one copy of all personal and sensitive personal data be stored in India and could be processed outside subject to conditions.

2

“While I would wait to see the Bill tabled in Parliament, if there is a relaxation on not mandating personal data records to be stored in India, then it is a progressive move,” said Rama Vedashree, CEO of the Data Security Council of India (DSCI). Vedashree, who was a member of the Srikrishna committee, said the country’s IT and ITeS industry, which services global corporations out of India, will benefit from cross-border data flows.

Critical data, which can’t be sent outside India, has not been defined in the Bill and has been left to the government to identify from time to time. The official also said that while remaining personal data is free to be stored or processed outside India, the consent of the individuals will be needed for its collection.

Mukesh Aghi, president of the USIndia Strategic Partnership Forum (USISPF), which represents companies such as Google, said that 2-5% of personal data is “critical”, while 5-15% may be “sensitive”.

“We understand the needs of a nation to protect its critical data and it’s fine if you can process the sensitive data outside since the cost is not that high and there are no restrictions on rest of the data,” he said. “Value of the data is when it flows.” He added that the government has reached a good compromise by trying to accommodate the requirements of global industry and domestic concerns.

FEEDBACK FROM STAKEHOLDERS

The government received feedback from 620 stakeholders including foreign governments, technology companies, corporate associations and civil society on the draft Bill.

“Without data sovereignty, data protection is a myth,” said Vinit Goenka, former national co-convenor of Bharatiya Janata Party’s IT cell. “It’s a welcome move. Data localisation will help India harness the economic benefit of data and remove the fear of access by enemy states. Our law enforcement agencies can easily access the data in case of a breach, which is not the case right now,” he added.

There haven’t been any changes to the penalties imposed — Rs 5-15 crore or 2-4% of global turnover, apart from jail terms for executives in charge of operations in case of grave offences such as re-identifying personal data that’s been de-identified by the data processer. Penalties are to be awarded by adjudicatory officers, or the adjudicating wing of the Data Protection Authority after “due enquiry”, the official said.

The draft Bill includes exemptions for the government from certain rules applicable to the collection and storage of personal and sensitive data if such processing was required for the functioning of the government or Parliament. This provision of free access to citizen data by the government has been criticised by activists.

“The data protection Bill is like a double-edged sword,” said Jaspreet Singh, partner, cyber security, EY. “On the one hand it protects the personal data of Indians by empowering them with data principal rights, and on the other hand it bestows the central government with exemptions that are against principles of processing. The State can process even sensitive personal data when required, without an explicit consent from the data principals… These are broadly worded carve-outs that can be misused and hence need to be carefully examined.”

To maintain sovereignty and national security and prevent communal violence, investigative agencies will be given exemptions.

“Investigation of crime is also a lawful public purpose,” said the official cited above. “We can’t cage the right of the investigation agencies.”
Comments
Add Your Comments
Commenting feature is disabled in your country/region.

Other useful Links


Copyright © 2020 Bennett, Coleman & Co. Ltd. All rights reserved. For reprint rights: Times Syndication Service