New Data Protection Bill relaxes information transfer norms

A revised version of the Data Protection Bill has allowed information transfer to all countries except the ones restricted by the government and exempted companies from taking parents’ consent for children’s data if the information is processed in a “verifiably safe” manner.

The government has changed the defintion of a child in the draft Bill. A child means an individual who has not completed the age of 18 years or such lower age as the central government may notify.

The government has moved away from the earlier proposed clause of notifying permissible countries where data fiduciaries or companies can transfer data.

The change means that government will notify a negative list or no go countries for companies where they cannot transfer the personal data of users.

In the revised version of the Bill, under the section of transfer of personal data outside India, the government specified that, “A data fiduciary may, unless restricted by the central government by notification upon the assessment of such factors as it may consider necessary, transfer personal data for processing to any country or territory outside India in accordance with such terms and conditions as the Central Government may notify”.

In the earlier version of the Bill said, “The central government may, after an assessment of such factors as it may consider necessary, notify such countries or territories outside India to which a data fiduciary may transfer personal data, in accordance with such terms and conditions as may be specified.”

The provisions of cross-border transfer of data under the Bill does not limit the application of any existing law in India that offers greater protection or restrictions on the transfer of personal data by a data fiduciary outside of India. According to the revised Bill, such laws will continue to apply and provide the necessary level of protection for personal data or specific categories of data fiduciaries.

Among key changes in the revised Bill, the government has opened the scope to reduce the age-cap of children to below 18 years for companies to seek parental consent before processing their data.

The companies will be exempted from provisions like seeking parental consent for children’s data and not showing targeted advertisements only if the government is convinced that a data fiduciary has implemented a verifiably safe approach to processing children’s personal data. As per the draft, the government can issue a notification specifying the age at which the data fiduciary will be exempt from certain obligations.

“Child means an individual who has not completed the age of 18 years or such lower age as the central government may notify,” according to the revised draft Bill. In the earlier draft, a ‘child’ was defined as an individual who has not completed 18 years of age.

A provision for reduction in age-gating is positive for social media companies as they will be able to have a wide user base to target ads to children and accordingly grow their revenue, which would have been restricted if 18 years was the threshold. Generally, the age threshold of obtaining parental consent is between 13 and 16 in other countries.

In the definition of ‘data principal’, the government has also included lawful guardian of a person with disability, acting on behalf of such individual.

With regard to the structure of data protection board, the government will appoint a chairperson and other members such that the total members of the board do not exceed seven, according to the Bill.

The members of the board need to have specialised knowledge or practical experience in areas such as data governance, administration, implementation of laws related to social or consumer protection, dispute resolution, information and communication technology, digital economy, law, regulation or techno-regulation.

The government may also consider expertise in other fields that would be beneficial to the board. Additionally, at least one member should be an expert in the field of law.

The government has exempted itself, the data protection board, its chairperson, or any member, officer, or employee from legal action for anything done or intended to be done in good faith under the provisions of the Act.

The new version of Bill has retained the penalties in case of data breach to `250 crore, which can go up to ` 500 crore. The Bill will be tabled in the Parliament during the monsoon session which begins from July 20. Financial Express