MEITY has released the report on the data protection framework along with the draft law on 27.07.18. We are analysing these. The report has dissent notes from Ms. Rama Vedashree, DSCI and (pg. 207) and Prof. Rishikesha T Krishnan (pg. 213). Our quick take along with a summary of the Bill pointing to the proposed restrictions around cross border data flow are enclosed (see below). We will be working closely with industry and government in shaping the policy as the government and regulators develop, realign or sharpen their stand on the topic.
1. NASSCOM-DSCI view
The Personal Data Protection Bill released by the Justice Srikrishna committee has suggested a much needed framework for data protection and privacy in the country. The Bill builds on the Supreme Court Judgement that advocated privacy as a fundamental right for the country and creates a framework for all stakeholders to be more responsible and build trust while dealing with personal data. NASSCOM-DSCI welcome the thrust on creating an institutional structure through a Data Protection Authority in the country as well as the importance of Privacy by Design.
NASSCOM-DSCI has been advocating for a healthy balance between privacy and Innovation, given that India is today emerging as a preferred hub for innovation and STEM talent globally. Policies that govern data protection, storage and classification need to be carefully crafted given the global footprint of the IT-BPM sector. Service providers in India process financial, healthcare and other data of citizens globally. India is also the destination for R&D, Product Development and Analytics, Shared Services.
Mandating localization of all personal data as proposed in the bill is likely to become a trade barrier in the key markets. Startups from India that are going global may not be able to leverage global cloud platforms and will face similar barriers as they expand in new markets.
A detailed analysis of the bill is being undertaken and NASSCOM-DSCI welcome the reassurance of an extensive consultation process before the Bill is enacted into law.
2. Quick reference to treatment on data localisation. See attached summary for details.
- Personal data: A copy of all personal data is required to be stored in India. There are restrictions on transferring personal data outside India.
- Sensitive personal data: Passwords, financial data and official identifier are being treated as sensitive personal data. Sensitive personal data has to be only stored in India barring some exceptions. It can only be transferred out of India for provision of health services or emergency services where such transfer is strictly necessary, or to a particular country, a prescribed sector within a country or to a particular international organisation where the Central Government is satisfied that such transfer or class of transfers is necessary and does not hamper the effective enforcement of this Act.
- Critical personal data: The Government has the power to notify critical personal data which would be required to be processed only in a server in India. This suggests that such data needs to be stored as well as processed only in India.
- Criminal Offence: Offences under the Act, including those related to personal data, are treated as criminal offences.
- Anonymised data: The Bill does not apply to processing of anonymised data.
- Date of restrictions on data flow coming into force: The Bill leaves it to the Government to decide when to notify the restriction on cross border flow of data including requirement to store a copy of personal data in India.