Tech majors such as Google, Amazon and Meta are seen benefitting from the new draft which eases certain curbs on cross-border data transfer – unlike previous versions where conditions had been specified – although it’s silent on the need to maintain mirror copies (within India) of “sensitive personal data” such as financial, health and biometric information of users. In August, the government had junked the earlier draft.
Draft data bill gives power to Centre to exempt state agencies from its provisions
The new draft personal data protection bill released on Friday addresses several sticking points in the previous draft which global tech companies had opposed, such as restrictions on the transfer of such data as well as the need to store it within India (called data localisation).
“The central government may, after an assessment of such factors as it may consider necessary, notify such countries or territories outside India to which a Data Fiduciary (consumer internet and social-media companies) may transfer personal data, in accordance with such terms and conditions as may be specified,” the draft said.
“It will be a relief as there will be a certain list of whitelisted countries. So, if the US is one of them, it will ease a lot of stress for big companies,” said Supratim Chakraborty, a partner at law firm Khaitan & Co.
Rupinder Malik, partner at law firm JSA, said the draft does away with “some contentious clauses that caused indu- stry pushback” in earlier versions. “Particularly data mirroring, data localisation requirements, and overall compliances appear to be limited compared to the previous Bill. The legislative intent appears to be tech and IT business friendly, focused on facilitating cross-border data flows.”
Details of several provisi- ons are expected to be part of the rules that will be notified once the law is enacted. Communications and IT minister Ashwini Vaishnaw said the government would examine all aspects with an open mind and take the bill to Parliame- nt after proper consultations.
The draft also does away with the earlier plan for penalties for serious breach, which was proposed at Rs 15 crore or 4% of the global turnover of a company, whichever was higher. Now, the penalty is proposed to be increased to Rs 500 crore.
JSA’s Malik says “some aspects that have been watered down could potentially reduce overall protection accorded to individual privacy rights”.
In another relief for Big Tech, a clause in the previous bill that empowered the government to ask a company to provide anonymised personal and non-personal data to help target delivery of government services or formulate policies, has been removed.
While batting for consumers, the new draft requires user consent before collecting personal data. Also, companies will be permitted to store the data for a specified period.
The draft also gives powers to the Centre to exempt state agencies from provisions of the bill “in the interests of sovereignty and integrity of India”. The draft covers personal data collected online and di- gitised offline data. It will also apply to the processing of personal data abroad if such data involves profiling Indian users or selling services to them.