This article is one of four in an annual Vantage Point series where in-house counsel identify key risks and opportunities in the year ahead
The Joint Parliamentary Committee (JPC) report on the revised Personal Data Protection Bill, 2019 (PDP Bill), is expected to be placed in the Budget session of parliament, and is being eagerly awaited by the industry. The government tasked the JPC to examine the revised draft bill that was originally presented by a committee of experts constituted in 2017 and headed by Supreme Court Justice B N Srikrishna.
The Srikrishna committee’s report came after detailed consultations with various stakeholders for over a year. However, after taking feedback from various stakeholders, the central government presented a revised Personal Data Protection Bill, 2019, which was referred to the JPC.
The revised PDP Bill, 2019, came in with some new clauses for social media companies, and also enhanced state power to exempt any government agency from the constraints of the bill.
Dilution of data localization
Earlier, there was strong criticism of the data localization requirements in the draft bill proposed by the committee of experts headed by Justice Srikrishna. The government took this into account, and the mandatory requirement for storing a mirror copy of all the personal data in India as per section 40 of the draft bill, as proposed by the Srikrishna committee, was eased off. Now, in the revised bill, the localization requirement is mandatory only for sensitive and critical personal data.
Critical and sensitive personal data
Critical personal data may now only be processed within India. Sensitive personal data may be transferred outside India based on explicit consent, and with any one of the following conditions:
- In line with a contract or intra-group scheme approved by the Data Protection Authority (DPA) protecting the principal’s rights.
- Transfer to a country, or entities in the transferee country, that provides an adequate level of protection, and has been conferred with such adequacy by the central government.
- Pursuant to specific approval from the DPA for any specific purpose.
While cross-border transfer is permissible, a serving copy of such sensitive data must be stored in India.
The central government may categorize any data as critical data from time to time. Any data that are categorized as critical data may be transferred outside India if such transfer is to a:
- Person or entity engaging in providing health and emergency services, and requires prompt action. Further, these transfers may be notified to the DPA within a specific period.
- Country, entity or international organization that the central government deems permissible, after evaluating the adequacy of protection measures, provided such transfer shall not cause prejudice to security and the strategic interests of the state.
Now in the bill, fiduciaries can process personal data outside India as long as they have obtained consent from the principal. This is a welcome move and has come as a huge relief to the Industry.
Criticism from Justice Srikrishna
Justice Srikrishna, the architect of the first draft bill was critical about the revised bill. He says that the blanket power of exemption from all provisions of the law in favour of a government agency is a disastrous move. He also says that the DPA’s composition is dominated by the government, as against the original bill, which had a diverse and independent composition.
The DPA chairperson and six full-time members will be appointed on the recommendation of a committee comprising the cabinet secretary, IT secretary and law secretary. Justice Srikrishna believes that the government is taking over the reins of the DPA.
It will be interesting to see the recommendations of the JPC report. We will then know the shape of the final bill.