MEITY has released the report on the data protection framework along with the draft Bill on 27.07.18. We are analysing these. The report has dissent notes from Ms. Rama Vedashree, DSCI and (pg. 207) and Prof. Rishikesha T Krishnan (pg. 213). Our quick take along with a summary of the Bill pointing to the proposed restrictions around cross border data flow are enclosed (see below). We will be working closely with industry and government in shaping the policy as the government and regulators develop, realign or sharpen their stand on the topic.
- MEITY has sought public comments on the report and the draft Bill by 10.09.2018.
- The Bill provides a much needed framework for data protection and privacy in the country. It builds on the earlier efforts in India at consolidating data protection principles found under several sector-specific legislation and the express re-statement of the fundamental right to privacy by the Supreme Court of India in its judgment in K.S. Puttaswamy v. Union of India.
- It is a step towards creating a sector-agnostic data protection framework, which calls for all stakeholders to be more responsible and build trust while dealing with personal data.
- It recommends creating an institutional regulatory structure through a Data Protection Authority (DPA), and includes new age regulatory principles such as Privacy by Design.
- With this initiative, India is now in a select band of countries moving towards a comprehensive data and privacy protection regime.
1. NASSCOM-DSCI view
The Personal Data Protection Bill released by the Justice Srikrishna committee has suggested a much needed framework for data protection and privacy in the country. The Bill builds on the Supreme Court Judgement that advocated privacy as a fundamental right for the country and creates a framework for all stakeholders to be more responsible and build trust while dealing with personal data. NASSCOM-DSCI welcome the thrust on creating an institutional structure through a Data Protection Authority in the country as well as the importance of Privacy by Design.
NASSCOM-DSCI has been advocating for a healthy balance between privacy and Innovation, given that India is today emerging as a preferred hub for innovation and STEM talent globally. Policies that govern data protection, storage and classification need to be carefully crafted given the global footprint of the IT-BPM sector. Service providers in India process financial, healthcare and other data of citizens globally. India is also the destination for R&D, Product Development and Analytics, Shared Services.
Mandating localization of all personal data as proposed in the bill is likely to become a trade barrier in the key markets. Startups from India that are going global may not be able to leverage global cloud platforms and will face similar barriers as they expand in new markets.
A detailed analysis of the bill is being undertaken and NASSCOM-DSCI welcome the reassurance of an extensive consultation process before the Bill is enacted into law.
2. Quick reference to treatment on data localisation. See attached summary for details.
- Personal data: A copy of all personal data is required to be stored in India. There are restrictions on transferring personal data outside India.
- Sensitive personal data: Passwords, financial data and official identifier are being treated as sensitive personal data. : A copy of all personal data is required to be stored in India. There are restrictions on transferring personal data outside India. (Drafting inconsistency in S.40 and S.41 makes interpretation of restrictions on transfer of sensitive personal data ambiguous.)
- Critical personal data: The Government has the power to notify critical personal data which would be required to be processed only in a server in India. This suggests that such data needs to be stored as well as processed only in India. It can only be transferred out of India for provision of health services or emergency services where such transfer is strictly necessary, or to a particular country, a prescribed sector within a country or to a particular international organisation where the Central Government is satisfied that such transfer or class of transfers is necessary and does not hamper the effective enforcement of this Act.
- Criminal Offence: Offences under the Act are treated as non-bailable criminal offence.
- Anonymised data: The Bill does not apply to processing of anonymised data.
- Date of restrictions on data flow coming into force: The Bill leaves it to the Government to decide when to notify the restriction on cross border flow of data including requirement to store a copy of personal data in India.