The Union Cabinet on Wednesday approved the Personal Data Protection Bill, but everyone expects it to be a changed version of the draft bill released in 2018. The bill, which seeks to regulate the processing of personal data by both the government and private companies, has many multinational companies worried because of clauses around data localisation - the draft bill stated that the central government would notify categories of personal data as 'critical personal data', which must only be processed in a server or data centre located in India.
While the contours of the new bill would only be known once it is tabled in the Parliament, experts expect the bill to define what constitutes 'critical data'. Legal experts and think-tanks also expect the definition of what constitutes 'Sensitive Personal Data' to be streamlined. The draft bill of 2018 stated that Sensitive Personal Data is applicable to passwords, financial data, health data, sex life, sexual orientation, biometric data, genetic data, caste or tribe, religious or political belief, among others. Many disagreed with this categorisation - particularly, they found the inclusion of financial data and passwords as sensitive to be incorrect.
Kazim Rizvi, Founding Director of The Dialogue, a think tank, is hopeful that the bill approved by the Cabinet may not require companies to store and process all personal data in India. "But geographic restrictions to sensitive and critical personal data are there. The list of sensitive data includes financial and health records. This is expected to be stored in India but can be processed abroad under certain circumstances," he says.
He expects the tabled bill to define "critical data" and adds that the bill will allow the government to request non-personal data from any company for "planning" purposes. "Social media companies will have to develop a verification mechanism that is voluntary for users but will decrease anonymity," he says.
People watching the space also expect stronger guidelines around the concept of 'consent'. Most Internet or mobile-first companies run users through many pages of terms and conditions before she or he is asked to click on 'I Accept' button. Unless this is done, the user cannot proceed to use the app. The fact is that most users don't read, or know about these terms and conditions. "I am expecting guidelines around making it more open and transparent. So there might be more transparency around how consent is obtained," Mukul Shrivastava, Partner, Forensic & Integrity Services, EY India, says.
Ever since the draft bill emerged in 2018, the cost of compliance has been discussed thread bare - most of it around technology or the cost of setting up data centres in India. Shrivastava, however, feels that people and process are equally important areas of investment, going forward. "We need processes and people who are subject matter experts. Right now, such people are rare commodity," he says. Not only do companies need a Data Protection Officer, they also need a host of mid-level executives and training for fleet on the ground. These are people who collect the data, either for e-commerce companies, telecom or banking firms, for instance. "Companies who are capturing the data have to make sure they have the necessary consents when they gather that data from people," Shrivastava says.
Such processes don't get streamlined overnight. It is likely to be a year's investment for most companies.