Centre to notify ‘data-secure’ regions to which data can be transferred
EASING cross-border data flows, hiking penalties for data breaches and non-compliance, allowing the government to exempt state agencies from the law in the interest of national security: these are among the key provisions of the revamped data protection Bill released by the Ministry of Electronics and IT (MeitY) Friday.
The draft was out three months after the Government withdrew an earlier version that had triggered a pushback from Big Tech and sections of the civil society. The new draft, now called the Digital Personal Data Protection Bill, 2022, has provisions on “purpose limitations” around data collection; specified grounds for collecting and processing of personal data; penalties ranging from Rs 50 crore to Rs 500 crore and a Data Protection Board as the adjudicating body to enforce the provisions of the Bill.
The draft is up for public consultation until December 17 and the final version is expected to be tabled in the Budget session of Parliament next year. The new Bill had 30 provisions while the previous one had more than 90. The revamped Bill, however, has left a number of crucial details on its provisions to be made in subsequent rules.
The new draft offers significant concessions on cross-border data flows, in a departure from the previous Bill’s contentious requirement of local storage of data within India’s geography. According to the new draft, the Centre will notify regions to which data of Indians can be transferred.
Sources said the conditions for selecting such regions would be based on their data security landscape and if the government can access data of Indians from there. The Indian Express had, on August 14, reported that the new Bill would relax data localisation requirements and allow data flows to trusted geographies.
Under the previous Bill, businesses were supposed to store a copy of certain “sensitive personal data” of citizens like health and financial data within India, and the export of undefined “critical” personal data from the country was prohibited. It was among the biggest issues flagged by technology companies, with firms like Meta having said that it could have an impact on its services in India.
“The Bill offers a relatively soft stand on data localisation requirements and permits data transfer to select global destinations based on some predefined assessments. This is likely to foster country-to-country trade agreements, make it relatively easier for global enterprises to operate and process data with their current set-up rather than mandatorily developing large infrastructure in India for storing and processing of personal data,” said Manish Sehgal, partner at Deloitte India.