India in 2020: Relief in sight from data protection bill?

This article is one of four in an annual Vantage Point series where in-house counsel identify key risks and opportunities in the year ahead

The Joint Parliamentary Committee (JPC) report on the revised Personal Data Protection Bill, 2019 (PDP Bill), is expected to be placed in the Budget session of parliament, and is being eagerly awaited by the industry. The government tasked the JPC to examine the revised draft bill that was originally presented by a committee of experts constituted in 2017 and headed by Supreme Court Justice B N Srikrishna.

The Srikrishna committee’s report came after detailed consultations with various stakeholders for over a year. However, after taking feedback from various stakeholders, the central government presented a revised Personal Data Protection Bill, 2019, which was referred to the JPC.

The revised PDP Bill, 2019, came in with some new clauses for social media companies, and also enhanced state power to exempt any government agency from the constraints of the bill.

Dilution of data localization

Earlier, there was strong criticism of the data localization requirements in the draft bill proposed by the committee of experts headed by Justice Srikrishna. The government took this into account, and the mandatory requirement for storing a mirror copy of all the personal data in India as per section 40 of the draft bill, as proposed by the Srikrishna committee, was eased off. Now, in the revised bill, the localization requirement is mandatory only for sensitive and critical personal data.

Critical and sensitive personal data

Critical personal data may now only be processed within India. Sensitive personal data may be transferred outside India based on explicit consent, and with any one of the following conditions:

• In line with a contract or intra-group scheme approved by the Data Protection Authority (DPA) protecting the principal’s rights.
• Transfer to a country, or entities in the transferee country, that provides an adequate level of protection, and has been conferred with such adequacy by the central government.
• Pursuant to specific approval from the DPA for any specific purpose.