Govt likely to bring changes in Data Protection Bill

The government is likely to bring changes in the Data Protection Bill, in a manner that only companies based in countries sharing land border with India, need to store consumer data within the country.

Such a move would be a big relief for US-based big tech firms like Facebook, Google, etc, who have been opposed to stringent domestic data storage norms proposed in the Bill in its current form.

The other likely modification in the Bill could be that firms with origin in countries sharing land border with India, would have to compulsorily store all data for around three months.

This provision currently applies to licensed telecom operators but not to any over-the-top (OTT) players.

Such a clause would come in handy in investigating allegations of anti-national activities or activities which endanger law and order situation, official sources said.

Sources said that once these changes are incorporated in the Data Protection Bill, most of the issues flagged by the big tech firms would be taken care of. For instance, regulation of hardware and devices, localisation of data with retrospective effect and the requirement of regulatory nod each time cross-border flow of data takes place, were the three major clauses which were flagged by these firms as areas of concern and the government was looking into them to facilitate ease of doing business and regulatory simplicity.

On the localisation of data, the Bill, in its current form, mandates storage of sensitive personal data (SPD) and processing of critical personal data (CPD) only in India. The problem area, apart from the definition of such data, as pointed out by big global firms, is also the clause, which states that mirror copies of SPD and CPD already in the possession of foreign entities, need to be mandatorily brought back to India, with retrospective application.

Legal and industry experts have pointed out that segregating SPD and CPD on a retrospective basis would be a tedious exercise and may also lead to cyber security risks.

Another clause which was flagged by the global firms was that explicit consent needs to be taken for transfer of SPD, from the Data Protection Authority, which in turn needs to consult the government. This means transfer of such data would not remain free from executive or political interference, which may act as barriers for start-ups.

Official sources said that such concerns would be taken care of with the proposed changes in the Bill by segregating firms on the basis of country of origin.

As is known, the Data Protection Bill was originally introduced in Lok Sabha in December 2019, after which it was referred to the joint committee of Parliament (JCP), chaired by BJP MP, PP Chaudhary. The draft Bill was prepared on the recommendations of Justice BN Srikrishna-led committee in 2018. Financial Express