The IT Ministry has received more than 400 responses from companies, industry bodies and government departments on the draft personal data protection bill, and will take stock of suggestions before its proposed introduction in Parliament, according to a senior official.
An official, who did not wish to be named, said the IT Ministry will start systematically analysing and crystallising the responses now, following which, it will further consult related stakeholders and certain ministries like Law and Justice. The official said some of the responses talk of how the language of the draft bill can be tightened to avoid its multiple interpretation in the future, and added that some suggestions were around the costs surrounding mandatory localisation or storage of data, that the bill proposes.
Many global industry bodies have contended that data localisation proposed in the draft bill could have “significant negative effects” on the ability of companies to do business in India. The ministry hopes to take stock of all the feedback over the next 1.5 months and give final touches to the draft by November-end, for its subsequent introduction in Parliament. Parliament is expected to convene for the winter session in November-December.
The official said that a number of ministries and departments, including Corporate Affairs, Social Justice and Women and Child Development, and Youth Affairs have also sent in their feedback. The draft personal data protection bill was crafted by a high-level panel headed by Justice B N Srikrishna, and was submitted to IT Minister Ravi Shankar Prasad in July-end.
The draft bill moots “explicit consent” for processing ‘sensitive personal information’ like religious or political beliefs, sexual orientation and biometric details. It suggests steps for safeguarding personal information, defining obligations of data processors as also rights of individuals, while proposing penalties for violation.
The areas covered by the recommendations include consent, what comprises personal data including sensitive personal data, exemptions which can be granted, grounds for processing data, storage restrictions for personal data, individual rights and right to be forgotten.
The draft of Personal Data Protection Bill, 2018 also restricts and imposes conditions on the cross-border transfer of personal data, and suggests setting up of Data Protection Authority of India to prevent any misuse of personal information.
It provides for a penalty of Rs 15 crore or 4 per cent of the total worldwide turnover of any data collection entity, including the state, on violation of personal data processing provisions. Failure to take prompt action on a data security breach can lead to a penalty of up to Rs 5 crore or 2 per cent of turnover, whichever is higher.