The Union Cabinet of India approves the proposed Personal Data Protection Bill: Have we settled down for Data Localisation rather than Data Sovereignty
There are reports on 04 December 2019, in the media that the Union Cabinet of India has approved the Personal Data Protection Bill. The Bill, which proposes a framework for processing of personal and private data by public and private entities, is expected to be introduced in the Parliament for consideration and passing in this Winter Session.
The Original Personal Data Protection Bill
The Personal Data Protection Bill of India was proposed In-line with the European Union’s General Data Protection Regulation (GDPR). The draft bill, titled “The Personal Data Protection Bill, 2018”, was prepared by a panel led by former Supreme Court judge Shri BN Srikrishna. It proposes rules on collection, processing and storage of personal data, individuals’ consent, penalties and compensation, code of conduct and an enforcement model.
After the news of the Cabinet Approval to the Bill, It is unclear if the approved Bill has been tweaked to accommodate the U.S. and India lobby groups, that may have used their clouting to arm-twist India into agreeing on Data Localisation rather than Data Sovereignty, when the proposal of mandatory storage of data on Indian soil was proposed in the original draft.
The Tweaked Personal Data Protection Bill
The reports in the media, has been quite contradicting; it said that the Internet Giants can now store personal data, such as one’s online purchases, destinations one visited and details of shopping etc., can be freely taken abroad and stored and processed. They do not need to keep a mirror copy of this information in India.
This is in complete contradiction to the original proposal: wherein the service providers were to also maintain a mirror copy of all (both sensitive personal and non-sensitive data) on Indian soil. The Bill now proposes that it is mandatory for the firms to store sensitive personal information on servers located only in India, with no mention of provision for non-sensitive data; which they can store outside India, even without maintaining a copy of it within India.
Certain reports mention that the compulsions for the Government to carry out this tweaking, was also to accommodate the reciprocal interest of Indian IT companies who do business abroad. The compulsory storage of data in Indian Soil may also impact the cost factor of companies providing these services as also the migration of jobs across countries.
It is worth a mention here that the classification of data into ‘Sensitive Personal Data’ and ‘Non-sensitive Data’ is again a matter of perception, and can never be without controversies.
(Note: There are many countries like Russia, China, Germany, France, Indonesia, and Vietnam (to name a few) that follow mandatory ‘Data Sovereignty Law‘ over ‘Data Localisation Law’, in which it is requires that their citizen’s data should be compulsorily stored on physical servers within the country’s borders)
CYBER SECURE INDIA