India’s Personal Data Protection Bill has been introduced in the Parliament’s lower house, the Lok Sabha, and is likely to be sent to a Joint Parliamentary Committee, comprising of 30 members (20 from the Lok Sabha, 10 from the Rajya Sabha). After the committee makes its recommendations, it will be tabled in the Lok Sabha for passing, after which it will be sent to the Rajya Sabha (the upper house of Parliament) for passing, and then to the President for his assent before it becomes a law. This law has been two years in the making, and will lead to the creation of a Data Protection Authority in India, the imposition of norms on collecting and processing of data, as well as the cross-border transfer of data. Key aspects of the bill: 1. Kinds of personal data: The Bill regulates 3 categories of data - Personal Data, Sensitive Personal Data, and Critical Personal Data. Sensitive personal data may be transferred for processing outside India with the user’s explicit consent and the Data Protection Authority’s or Central government’s permission , but needs to be stored only in India. Sensitive personal data includes financial data, health data, sexual orientation, transgender status, case/tribe, and religious or political beliefs. The Central government and DPA can together also notify further kinds of data as sensitive personal data. “Passwords” have been removed from the list of sensitive personal data listed in the bill. Critical personal data has not been defined and what it is will be…
