BSA, the software alliance that represents Microsoft, Apple, Amazon Web Services (AWS), Intel, Adobe, Akamai, Oracle and IBM wants the government to “undertake further consultation” before they introduce the Personal Data Protection Bill, 2018 in the Parliament, Business Insider reported quoting Venkatesh Krishnamoorthy, the Country Manager, BSA India. The alliance feels that the data protection bill, which is expected to be tabled in the budget session of Parliament starting June 17, is “considerably different” from what was initially presented to it. Krishnamoorthy believes that since the GDPR is about to complete a year, “there were[are] learnings” that India can take from EU’s experience of the laws. While he believes that India’s data protection bill is a “step in the right direction” and appreciates the “thorough efforts” made by the government in drafting the bill, a further round of consultations will make the bill “more robust” than what it currently is.

Medianama has reached out to Krishnamoorthy for comment, we will update this when we hear from him.

Ravi Shankar Prasad, however, has already announced that one of his key priorities as IT Minister would be to pass the Personal Data Protection Bill, 2018 in the first session of the Parliament. The bill  was drafted by a panel headed by (Retd) Justice BN Srikrishna and submitted to the government in August 2018. It was expected to be taken up in the final session of Parliament before the 2019 general elections, but wasn’t introduced at all. Following are some of the key features of the Bill:

Key highlights of the Personal Data Protection Bill, 2018

  • Personal data has been defined as data which makes an individual directly or indirectly identifiable. The definition does not specifically mention any particular form of data or attribute. The bill excludes anonymised data from the application of this law.
  • Apart from defining personal data the bill labels certain information as sensitive personal data as it existed under SPDI (sensitive personal data and information) Rules of the IT act, this has been expanded to include passwords; financial data; health data; official identifier; sex life; sexual orientation; biometric data; genetic data; transgender status; intersex status; caste or tribe; religious or political belief or affiliation.
  • The law will extend to data fiduciaries or data processors who operate outside the country, if they carry out processing of personal data in connection either with any business carried on in India, systematic offering of good and services to data principles in India, or any activity which involves profiling of data principals (individual users) within of India.
  • Legal grounds for processing under the bill include consent, functions of state, compliance with law or order of court/tribunal, for prompt action in case of emergencies, purposes related to employment and reasonable purposes of the data fiduciary.
  • The bill provides certain rights to the data principal (i.e. the individual) this includes the right to confirmation and access, right to correction, right to data portability and right to be forgotten.
  • Platforms operating under this law will have to adhere to certain transparency and accountability measures. These include Privacy by design, data protection impact assessment, record keeping, appointing a data protection officer and data audits.
  • The bill places restrictions on cross-border transfers of data. The bill mandates storing a mirror of all personal data within the territory of India. The bill also empowers the central government to classify any sensitive personal data as critical personal data and mandate its storage and processing exclusively within India.
  • The bill establishes an independent authority called the Data Protection Authority of India that is empowered to oversee the enforcement of the bill. The adjudication process will be looked after by the adjudication wing of the Authority.
  • The bill lays down financial penalties for non-compliance ranging from Rs 5 crores or 2% of total worldwide turnover to Rs 15 crores rupees or 4% of the total worldwide turnover.

Localisation in the Data Protection bill

The localisation requirement, which restricts cross-border transfer of data, in the Srikrishna Committee’s final bill is among the legislation’s most contentious features. The bill requires all data fiduciaries to store a copy of users’ personal data in India.

Restrictions on Cross-Border Transfer of Personal Data. —

(1) Every data fiduciary shall ensure the storage, on a server or data centre located in India, of at least one serving copy of personal data to which this Act applies.
(2) The Central Government shall notify categories of personal data as critical personal data that shall only be processed in a server or data centre located in India.
(3) Notwithstanding anything contained in sub-section (1), the Central Government may notify certain categories of personal data as exempt from the requirement under subsection (1) on the grounds of necessity or strategic interests of the State.
(4) Nothing contained in sub-section (3) shall apply to sensitive personal data.

(from the Personal Data Protection Bill, 2018; emphasis ours)

It is the localisation requirement that has rattled the tech world, and also the civil society the most. “Data localisation is bad for business, users, and security,” Mozilla had said in a statement. Rama Vedashree and Prof. Rishikesha T Krishnan, who were both members of the Srikrishna committee, put on record their dissent on keeping a copy of personal data in India. “This narrative [that localisation is a tool for domestic market development],” Vedashree had said in her dissent, “seems fuelled by unfounded apprehensions and assumptions, rather than evidence and reasoning”.