NEW DELHI: India is likely to water down its proposed rules on data privacy and localisation, mandating that only critical information needs to be compulsorily retained in India, people familiar with the matter said. It’s also expected to reduce the number of instances in which company executives can be jailed due to breach of data security to just one, they added.
“The proposed (draft) Data Protection Bill will now be tweaked to allow personal information which is not ‘critical’ nor ‘sensitive’ to be stored and processed anywhere, while data classified as ‘critical’ should be kept only in India,” a senior government official told ET. This could help ease the tension in trade ties between the US and India, another official said.
Identifying Critical Data
The original draft of the Personal Data Protection Bill, 2018, prepared by the ministry of electronics and IT (MeitY), had suggested that a copy of all personal data be stored in India, while “critical” information had to be mandatorily stored only in the country. The government has to identify what constitutes “critical” personal data. The Bill is listed for introduction in Parliament in the current session but this latest development could result in a delay to accommodate changes.
The only provision that will carry a jail term for executives will relate to de-anonymising already anonymised data to reveal personal information, the official added. For example, decoding a hospital’s illness patterns, which is public information, to identify individuals. This compares with a proposed five or more instances that could attract jail terms for violations.
The development comes days after a high-level US trade delegation was in India holding discussions with various ministries, including IT and commerce, amid trade tensions between the two sides. New Delhi recently decided to raise import tariffs on 29 goods from the US. That was in response to the US rolling back incentives under its Generalized System of Preferences (GSP) programme for imports from India. The US has since taken India to the World Trade Organization (WTO) over the country’s latest trade move.
The government’s move also comes after MeitY officials are said to have met recently with senior executives from US companies such Google, Facebook, Cisco, Mastercard, Amazon, PayPal, Twitter and American Express to understand their concerns and conveyed the possibility of softening the Data Protection Bill.
“In the meeting, government officials are believed to have explained that the Data Protection Authority, envisaged in the draft bill, would work in consultation with all stakeholders to identify which data classifies as personal, sensitive or critical,” an official said. “The company representatives, however, expressed doubts over the procedure and flagged the risks involved in a ‘designated authority’ singly deciding on the matter.” The companies appeared to be concerned about the procedure that would be followed in deciding the details, he said.
MeitY officials also highlighted to company representatives that even critical data, which must be compulsorily stored in the country, could actually be held abroad in case India had a bilateral agreement with a nation regarding cross-border flow of data.
“For instance, if India and the US have a bilateral agreement on cross-border flow of data that the American agencies would give India the necessary data required in a stipulated time, then even this provision of not making it compulsory to store critical data in India is also there,” the official said.
Several multinational companies had expressed concerns that localisation of all personal data of Indians would hurt their planned investments by raising costs to set up new storage centres in the country.
One official said that this was a part of the government’s efforts to achieve a breakthrough in trade talks with the US.
“Earlier this month, a team from the Office of the US Trade Representative (USTR) had visited India and expressed concerns over the RBI (Reserve Bank of India) policy on mandatory storage of data locally for all payment system operators. Also, the draft ecommerce policy having an entire chapter on data monetisation came as a bolt out of the blue for American companies,” said the official.
The official added that US had said that in both cases, Indian government policy making had been very opaque and failed to take the concerns of American companies into account.
Commerce and industry minister Piyush Goyal had last month announced that the ecommerce policy would completely drop the data monetisation part and leave it to MeitY to work upon.
Source: Economic Times