The government is learnt to have relaxed the mandatory storage and processing requirement for all kinds of personal data and made a case for the collection of anonymised data from companies for planning government schemes in its long-awaited draft data protection Bill, which was approved by the Union Cabinet on Wednesday.
The Bill categorises data as sensitive personal data and critical personal data. Sensitive data includes passwords, financial data, health data, sexual orientation, biometric data, genetic data, transgender status, and caste. Critical data will be defined by the government from time to time.
All companies will have to store the critical data of people within the country, but they can transfer sensitive data overseas after explicit consent of the data owner to process it only for purposes permissible under law once the Bill is approved by Parliament, government sources said.
There is a relaxation on storing a copy of all personal data in India, or mirroring. “The government will have the right to direct a data fiduciary to share anonymised or non-personal data for better targeting of service, policy-making, relief work, etc,” said a source. All other aspects of non-personal data will be handled by a committee headed by Infosys co-founder Kris Gopalakrishnan. The Cabinet's approval paves the way for the Bill to be tabled in Parliament in the ongoing winter session.
The Bill has left the penalties unchanged — up to Rs 15 crore or 4 per cent of an entity's global revenue if it is found guilty of a major violation under the Bill, while Rs 5 crore or 2 per cent of the global turnover will be the penalty for minor violations.
Another new aspect is the inclusion of social media companies, which will be required to provide a way to identify the users on their platform who are willing to be verified on a voluntary basis. Social media companies are identified as the largest data processing entities or fiduciaries. “Under the provision, a social media fiduciary will have to give users on its platform an option to get verified. It will be voluntary for individuals if they want to get verified or not," the source said.
The Personal Data Protection Bill has been in the works for nearly a year now, and has been giving the technology sector the jitters because the final draft has not been made public. However, the Bill, once it gets passed, will have repercussions for industries across the board -- from retail to aviation, manufacturing to automobiles, and even your local grocer, if he stores your details in a digital format.
Data localisation, data fiduciary’s responsibilities, steep fines, and classification of personal and sensitive personal data were thorny issues in the first draft.
A draft of the Bill was made public by the Ministry of Electronics and Information Technology on July 27 last year. It detailed the rules and obligations for different entities which process personal data in the country, and came under a lot of criticism for the way it proposed handling cross-border data flows.
It was opened for public consultation last year, but the Bill in its final form has not seen the light of day. The ministry reportedly received over 600 submissions, but did not make them public. The government has held several rounds of consultations with different stakeholders after the first draft, but the Bill or any modification was not opened up for further comments.