The Personal Data Protection Bill, 2019 was tabled in the Parliament on December 11, 2019. This is not the same as what was earlier drafted under the chairmanship of Justice BN Srikrishna. The committee under the chairmanship of Justice Srikrishna had done a detailed analysis and study of various issues relating to data protection in India and made specific suggestions on principles to be considered for data protection in India.
The submission of the draft had come after detailed consultations with various stakeholders for over one year. There was severe criticism of this bill especially for data localisation. The government came up with a revised bill and tabled in the Parliament. Subsequently, the government had set up a Joint Parliamentary Committee (JPC) to evaluate this bill and place the report in the budget session of the Parliament. India Inc is closely monitoring all the development in this sector.
The bill drafted by Justice Srikrishna faced a lot of criticism because of localisation requirement of personal data within the boundaries of India. The Central government after taking all the criticism into account had come up with a modified bill in December 2019. The mandatory requirement of storing a mirror copy of all the personal data in India was done away. Now in the revised bill, localisation of data is only required for sensitive and critical personal data. However, it is to be noted that the serving copy of the sensitive and critical personal data must be stored in India and comes with its own condition for transfer outside the country.
It has now been made mandatory that critical personal data will only be processed within the geographical location of the country. However, sensitive personal data may be transferred outside the country on explicit consent with an additional any one of the following conditions:
Critical and sensitive personal data To comply with the contract or intra-group scheme approved by Data Protection Authority (DPA) which protects the Principal's rights. Transfer to a country which provides an adequate level of protection Explicit specific approval from the DPA for any specific purpose.
Now in the revised bill, the cross-border transfer is permissible, but a serving copy of the sensitive data must still be stored within the geographical location of the country.At present the critical data are not defined and the Central government may categorise any data as critical data from time to time. It is to be noted that critical data may be transferred outside the country if such transfer is to a
person or entity engaging in providing health and emergency services and requires prompt action. However, the government has made it mandatory to notify the DPA within a specific period. country or entity which Central government deems permissible after evaluating the adequacy of protection measures provided such transfer does not cause prejudice to the security and strategic interest of the state.
It has to be noted that the fiduciaries can process personal data outside India provided they obtain an explicit consent from the Principal. India Inc has welcomed this move of the Central government for cross border transfer of data.
Justice Srikrishna criticism
Justice Srikrishna, the original architect of the first draft bill, was critical of the revised bill. The power of exemption from all the provisions of the law in favour of a government agency is a disastrous move. He also feels that the DPA's composition is dominated by the government as against the original bill which had diverse and independent representation.
Outcome of the JPC
However, it will be interesting to see the recommendation of the JPC report which is expected to be placed in the budgetary session. The final bill is yet to take shape and India Inc is anxiously waiting to see the final shape of the bill.
K Satish Kumar is a keynote speaker, author, the Global Head of Legal and Chief Data Protection Officer of Ramco Systems. The views are personal. Read his columns here .