Data Protection Bill: Is A Vote Finally Approaching?Bill Nearly Finalized; Parliament Could Vote in Winter Session
The long-delayed data protection bill is on track to be finalized in time to be voted on by the parliament in its winter session, says one official on the committee that's been drafting the measure.
"In all likelihood, it will get cleared during the winter session," the official, who asked not to be named, tells Information Security Media Group. "Currently, the bill is in the final stages of consultation. There are certain aspects for which we would like to have more opinion."
The Parliament's winter session will run from Dec. 11 to Jan. 8.
A draft of the bill, which was unveiled by the Srikrishna Committee in July 2018, includes several major provisions. For example, a "data localization" provision would require companies to store data about Indians domestically. The bill also would require organizations to appoint a data protection authority to deal with privacy complaints. And it would give citizens more control over their data.
A Top Priority
Ajay Prakash Sawhney, secretary of the Ministry of Electronics and Information Technology, tells Information Security Media Group at a conference hosted by IoT India Congress that enactment of a data protection bill is one of the top priorities for the government.
"The bill is a work in progress and the government is in the process of seeking clarification from some eminent people in the field," says Ravi Shankar Prasand, union minister of electronics and information technology, according to Economic Times.
"We need to have a balance between data availability, data utility, data innovation, data anonymity and data privacy," he said at a summit organized by the Economic Times. "I am aware that some degree of movement is inherent in a data economy, but one thing is very clear - the government of Narendra Modiji will never compromise on data sovereignty of India; that should be very clear."
The draft version of the Personal Data Protection Bill, 2018, calls for requiring every data fiduciary to ensure that Indian's data is stored in a server or data center located in India. Companies dealing with data that's not considered sensitive would still have to store a mirror copy of that data in India.
Under the draft, personal data determined to be critical would be required to be processed only in India, with cross-border transfer prohibited.
Although the government had taken a strong stand in favor of data localization, many global companies - including some based in the U.S.- have protested that proposal, calling for relaxation of the requirements to help ease business operations.
The Reserve Bank of India already is requiring payment companies to store data related to payments in India.
In August 2017, the Supreme Court of India declared that privacy is a fundamental right. But there's no law setting penalties for those who violate privacy. That's why a data protection law is seen as essential by many privacy and security experts.
"The Supreme Court declared privacy as a fundamental right. This declaration has little meaning if there is no law to protect it," says Vicky Shah, a Mumbai-based cyber lawyer. "The problem of social media companies misusing our data will get addressed if a law on data protection takes shape quickly."