India's new privacy bill proposes cross-border data transfer, tough penalties

The new PDP bill has also proposed harsh penalties of as much as Rs 250 crore on people and companies that fail to prevent data breaches.
"The resulting data revolution has the capacity to marginalize, exclude, and misinform people as much as it has the potential to promote and inform action toward the attainment of the UN Sustainable Development Goals."
"The resulting data revolution has the capacity to marginalize, exclude, and misinform people as much as it has the potential to promote and inform action toward the attainment of the UN Sustainable Development Goals." Flickr [Creative Commons]

New Delhi, Nov 18: In a relief for Big Tech, the IT Ministry on Friday proposed a new draft of digital personal data protection bill that will allow cross-border transfer of some users' data with "certain notified countries and territories". 

The government in August withdrew the contentious Personal Data Protection (PDP) Bill that saw 81 amendments in the past three years, aiming to introduce a new, sharper bill that fits into the comprehensive legal framework and protects the data of billions of citizens.

"The Central government may, after an assessment of such factors as it may consider necessary, notify such countries or territories outside India to which a Data Fiduciary may transfer personal data, in accordance with such terms and conditions as may be specified," the new draft bill read.

The new PDP bill has also proposed harsh penalties of as much as Rs 250 crore on people and companies that fail to prevent data breaches.

"Failure of Data Processor or Data Fiduciary to take reasonable security safeguards to prevent personal data breach under sub-section (4) of section 9 of this Act" will cost a maximum penalty of Rs 250 crore.

"Personal data breach" means any unauthorised processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction of or loss of access to personal data, that compromises the confidentiality, integrity or availability of personal data," the draft bill said.

The bill is now open for public consultation and the IT Ministry will hear views from the public until December 17.

"The purpose of this Act is to provide for the processing of digital personal data in a manner that recognises both the right of individuals to protect their personal data and the need to process personal data for lawful purposes, and for matters connected therewith or incidental thereto," said the draft.

On data storage, the draft bill requires consent before calling data and said that "the storage should be limited to such duration as is necessary for the stated purpose for which personal data was collected".

Similar to Europe's GDPR, the proposed Indian bill will apply to companies operating in the country and to any entities processing the data of Indian citizens.

Rupinder Malik, Partner at law firm JSA, said that the draft bill has simplified the proposed data protection regime and done away with some contentious clauses which caused industry pushback in earlier versions.

"Particularly, data mirroring, data localisation requirements, and overall compliances appear to be limited compared to the previous Bill. The legislative intent appears to be tech and IT business friendly, focused on facilitating cross-border data flows," said Malik.

Abhishek Malhotra, Managing Partner, TMT Law Practice, said that the draft bill has watered down the objective of a data privacy and protection framework.

"It appears to give a simpler framework for people to be able to adopt it seamlessly. Unfortunately, the scope and applicability provisions have also been curtailed and limited to where collection is online or digitised and where Indians are targeted for profiling," said Malhotra.

Related Stories

No stories found.
Greater Kashmir
www.greaterkashmir.com