Data Protection Bill Draft ReleasedLong-Awaited Proposal Covers Data Storage, Privacy Issues and More
The Ministry of Electronics and Information Technology late Friday released the long-awaited Data Protection Bill of India. The bill, which would require most data about Indians to be stored domestically, was drafted by a 10-member committee of experts headed by Justice B.N. Srikrishna.
The committee handed the report to IT Minister Ravi Shankar Prasad, wrapping up nearly one year of deliberations that touched upon sensitive and controversial issues.
The 67-page Personal Data Protection Bill, 2018 addresses the following issues:
- Data protection obligations;
- Grounds for processing of personal data, including sensitive data;
- Protecting the data of children;
- Transparency and accountability measures;
- Transfer of personal data outside of India;
- Exemptions in areas where the Act will not apply;
- Having data protection authority of India;
- Penalties and remedies;
- An appellate tribunal;
- Transitional provisions of data protection officers and authorities in charge of data protection.
The bill must be approved by Parliament and gain the president's signature to become a law.
"It is a monumental law and we would like to have widest parliamentary consultation," Prasad said. "We want the Indian data protection law to become a model globally, blending security, privacy, safety and innovation."
Justice Srikrishna says privacy has become a hot issue, and every effort has to be made to protect data at any cost.
The bill proposes that India require that critical data be domestically stored in most cases, with data mirrored in certain circumstances (see: Will RBI's Local Data Storage Mandate Be Relaxed?).
The proposed legislation would place the following restrictions on cross-border transfer of personal data:
- Every data fiduciary must ensure the storage, on a server or data center located in India, of at least one serving copy of personal data to which this Act applies;
- The central government must designate categories of personal data as critical personal data that will only be processed in a server or data center located in India;
- The central government will designate certain categories of personal data as exempt from the requirement of domestic storage on the grounds of necessity or strategic interests.
The bill also would require that technology used in the processing of personal data comply with commercially accepted or certified standards. It also would require that the processing of personal data be carried out in transparent manner.
Under the bill, all organziations would be required to use security measures, including de-identification and encryption, to ensure privacy is maintained. The proposed legislation also would require organizations to ensure proper steps are taken to prevent misuse, unauthorized access and disclosure and destruction of personal data.
"Every data fiduciary and data processor shall undertake a review of its security safeguards periodically as may be specified and may take appropriate measures accordingly," the bill says.
Another provision of the bill would require organizations that collect genetic data or biometric data undertake a data protection impact assessment.