The Union Cabinet approves the Personal Data Protection Bill, and you must be aware of it if your site is hosting outside India.
Or if your business collects the data in India and sends it overseas.
The Bill will be present before the parliament in the next session. Then there will be a debate over it before deciding where to pass it or not.
It is highly likeable that the Personal Data Protection Bill might become law. Reserve bank of India is demanding localisation of critical data for a long time. Despite resistance from the USA, India does have good leverage over the whole scenario.
What is the Personal Data Protection Bill?
The Personal Data Protection Bill or PDP was made by the expert group. Former Supreme Court judge B. N. Srikrishna is head of the committee.
PDP regulated the collection, usage, transfer and disclosure of the data collected by organisations. The Bill lays a legal framework essential to protect the data of Indian users.
It holds the organisation accountable for the secure processing and storage of the Data.
India is the largest Internet consumer country with an open market. A large amount of Indian user data is stored outside of India.
That data has a critical, confidential and general type of information of users. For a long time, RBI wants a law that makes the organisations store the financial data (credit card number and passwords) in the country.
Last year the government introduced the draft of a personal data protection bill, which was similar to that of the European Union’s GDPR. After many tweaks and customisation, the Union cabinet has passed the bill this Wednesday.
The government will soon present a complete Personal Data Protection law in parliament.
The Bill is Applicable to:
In its current state, the Bill applies to those organisations that are:
- Collecting or sharing the data within the territory of India
- In connection with some business in India that collects the data within the Indian territory
- Involved in profiling of data of Indian citizens in partnership with Indian companies
The Bill is also the same for the processing of the data by any Indian state or company.
This Bill will affect the companies offering online services to Indian consumers mostly. Big tech giants like Facebook, Amazon, Google, and Netflix has.
What does Personal Data Protection Bill mean for the Companies?
For the companies, there are clear guidelines to follow regarding the collection and processing the data of the users.
The data is divided into three categories — Sensitive, Critical and General.
Sensitive Data:
The data that is intensely personal to the person.
Sensitive Personal Data means personal data revealing, related to, or constituting, of:
- Passwords
- Financial data
- Health data
- Official identifier
- Sex life
- Sexual orientation
- Biometric data
- Genetic data
- Transgender status
- Intersex status
- Caste or tribe
This data can only be stored in India. However, the organisation can process the data outside India with the explicit consent of the user.
Critical Data:
This data is not defined by the Government, specifically. But time to time, the Government will release the statements regarding the Critical Data.
Organisations must process and store the critical Data within the Indian territory.
General Data:
Data that does not fall into a sensitive or critical category is general information. There are no restrictions on storing or processing such data
What companies have to do?
Getting Indian Dedicated Servers
Companies have to store critical and sensitive data inside India. For that, they have to buy the dedicated server in India to store and process the data of Indian users.
Social Media Sites
Social Media sites have to offer a function to users so they can verify the account.
The purpose behind the verified social media account is to demotivate the spreading of the rumours. Another reason is to reduce trolling that is happening on social media.
Twitter, Facebook, or any social media company have to give a user verification option to users.
Consent Option
Asking for consent for the collection of information is also an essential aspect of the Bill.
Now the company has to take explicit consent of the user before storing his data outside India. Also, the business has to clarify the purpose of the data collection.
The organisation has to change his policy as per the PDP Bill.
Penalty and Fines
There will be a penalty of rs. 5 Crores or 4% of Global Turnover if the company is found sharing the user’s data without the consent.
If the organisation fails to register or does not follow the Bill, the fines would be Rs. 5 Crores or 2% of Global Turnover.
The penalty would be high as Rs. 15 Crores or 4%, whichever is higher, in case if the organisation send the user’s data overseas without the consent.
In case of severe offences and repeatedly law-breaking case, the responsible person might have to serve jail time too.
FAQ
What is considered personal data?
Any data that can be used to identify a person is personal data. For more information on personal data click here.
Is financial data sensitive personal data?
Yes. Financial data is sensitive personal data, and it can only be stored in India. But organisation can process the data from the outside with the consent of the user.
Summary
India is a big consumer market, and that is the biggest leverage policymaker have. Companies will not like to lose such a large consumer market.
If the parliament passes the bill, it would be essential for the companies to store the critical data in India. Or they have to pay hefty fines.
TikTok and many other organisations have already started setting up their data centre in India.
It’s a peak time you should start looking for your options for storing data in India.
Image Source: LiveMint