The Personal Data Protection Bill has been listed to be tabled in the Winter Session of Parliament which will begin on Monday, a notification on the Lok Sabha website said. The long-awaited Bill deals with handling and processing of consumer data by corporate entities, while introducing restrictions and penalties.
The draft Bill, which was released last year, created a huge controversy, with several global technology companies alleging that the move will curtail their ability of doing business in the country apart from driving cost of operations. The proposals are mostly based on a report submitted by Justice B N Srikrishna in July 2018. The draft Bill has since gone through at least two updates based on inputs received from industry.
While the final contour of the Bill is yet to be known, the draft version, which was made public earlier, said businesses were required to seek explicit consent for the data they collect on consumers. They are also required to mandatorily obtain consent from consumers to use their data sparingly and only for purposes stated, apart from storing “sensitive” consumer data only within Indian borders.
The Bill also proposes a fine of up to Rs 15 crore or 4 per cent of the firm’s turnover in the case of a breach, and setting up of a data protection authority, an appellate authority that will decide on such matters.
The proposed law was feared to have far-reaching implications for big tech firms such as Google and Facebook that operate out of India, requiring them to re-tune their businesses. These global technology companies have been arguing that the proposals will shoot up their operating costs and, in some cases, prohibit delivering some internet services.
“The government has conducted two rounds of industry consultations on the draft data privacy Bill, one public and another selective limited consultation with only certain stakeholders. However, till date the final draft has not been put in the public domain and there remains much concern among the multinational corporations and corporate entities with regard to the data localisation requirements,” said Salman Waris, managing partner at New Delhi-based specialist technology law firm TechLegis Advocates & Solicitors.
“If the draft Bill is passed in the present form, it’s going to have far-reaching implications for the corporate sector and adversely affect the ease of doing business and increase overall costs besides introducing a host of regulatory compliance obligations.”
In a recent interview to Business Standard, Daniel Castro, vice-president of the Washington DC-based think-tank Information Technology and Innovation Foundation (ITIF), said that policies like data localisation are not a good idea. “They force companies to start storing data locally within the country which moves away from the most secure servers developed in the most secure operating environment to a domestic implementation that may not be on a par with global security standards,” said Castro, also the director of ITIF’s Center for Data Innovation.