As the union cabinet approved the Personal Data Protection Bill 2019 on Wednesday, highly places sources within MEITY have revealed that there has been a rollback, in part, of stiff data localisation norms as proposed by the Justice Sri Krishna Committee.
The draft of the Data Protection Bill 2018 emerged after exhaustive consultations by the Justice Srikrishna Committee. Since then, based on inter-ministerial consultations, changes were made to the 2019 bill. Changes made to the bill and the new draft approved by the cabinet have not been made public.
Senior officials of MEITY have confirmed to CNBC-TV18 the broad contours of the 2019 bill. One of the biggest changes has been watering down the data localisation norms. As per section 40(1) of the 2018 draft, every data fiduciary was required to store at least a mirror copy of the data in servers on India shores. This condition has partly been done away with.
It is also learned that data is now categorised as sensitive, critical and personal. Under the new draft, sensitive data which includes financial data, health data, sexual orientation, etc. have to be stored in India, but can be processed overseas, in case of explicit consent. Critical data has to be defined by the government and must be stored and processed only in India.
For general data, sources reveal that no conditions have been slapped on data fiduciaries regarding storage or processing. This was one of many long-standing demands of global tech companies and industry bodies. Various submissions by leading global industry bodies had warned that digital innovation and investment would suffer if the government tried to mandate the storage and processing of Indian servers.
Another interesting change that the new bill brings about is the concept of 'Significant Data Fiduciary'. CNBC-TV18 learns that based on factors such as a number of users, the volume of data, the sensitivity of data and turnover of data, under the bill, the Data Authority could classify certain entities as 'Significant Data Fiduciary'. Under the bill, classification as a 'Significant Data Fiduciary', would entail additional responsibilities, legal obligations, and compliance burden.
In a move aimed at social media companies, the bill seeks to mandate developing a voluntary user verification mechanism. The intent of the bill is to ensure that users on social media portals can identify other users as being verified, unverified or as being from other countries.
Other aspects of the new bill are similar to the draft bill of 2018. The Personal Data Protection bill envisages a Data Protection Authority. It will be the nodal and regulatory authority for data protection in India and it will look to ensure compliance with the statute. Decisions by the authority will be appealed before a tribunal and directions by the tribunal could then be appealed before the Supreme Court.
The new bill, just as the draft, also boasts of teeth, in case of violations. As per sources, offences such as failure to register or failure to conduct a data impact assessment could result in penalties of Rs 5 crore or 2 percent of global turnover, whichever is higher. Violations such as sending data overseas without consent, mishandling of children's personal data could invite penalties of up to Rs 15 crore or 4 percent of the global turn over, whichever is higher.
The bill, as per sources, also provides for criminal consequences. Certain offences can result in imprisonment of 3 years under Section 82.
MEITY sources have also revealed that this legislative intent behind the bill is not merely to ensure a safety net for data of individuals but to also act as an impetus for a data processing industry in India.
Government sources have argued that the data processing ecosystem is fast emerging in India and that India can play the role of a data refinery. Government sources have also expressed confidence in the bill and claimed that the government is keen on the widest possible debate through a parliamentary process.