Net giants can store your non-crucial data abroad

NEW DELHI: Your personal data, such as what you order online, or where you shop online or destinations that you go to, can be freely taken abroad and stored and processed on international servers by internet giants. They do not need to keep a mirror copy of the information in India, as had originally been stipulated in the draft bill that created the architecture of India’s personal data protection law.
The Cabinet gave the nod to an updated version of the Data Protection Bill that aims to protect the rights of an individual over data he or she generates, especially erecting safeguards against the flow of sensitive information such as a person’s financial or health statistics, passwords, sexual orientation, biometric details, religious and political beliefs. The bill proposes that firms mandatorily store sensitive personal information on servers located only in India, with no mention of provision for non-sensitive data.
The data protection bill proposes that firms mandatorily store sensitive personal information on servers located only in India. The same diktat applies to ‘critical data’, which the government may define/notify from time to time and may include information that, for example, has a bearing on national security, or is military data, sources said.
However, the bill does not make any special mention of the provisions related to cross-border movement of ‘non-sensitive and non-critical’ data, which includes information around what you do when online. Earlier, the draft bill had said that companies will need to keep a ‘mirror copy’ of such information on Indian servers, mainly to keep a track of what data is being collected.
For violations (which will be monitored by a proposed Data Protection Authority), the bill mandates a penalty of Rs 5 crore or 2% of global turnover (whichever is higher) for certain offences, while for data leakage or illegal processing, it stipulates a top penalty of Rs 15 crore or 4% of turnover. For serious breaches, senior officials from the top management of the violating company also face the prospect of arrest and jail terms ranging up to three years.
An official source said that the “government is mindful” of any concerns around usage of personal data – even if it is non-sensitive. “Consent is the backbone of the proposed data protection law, and there are clearly-specified checks and balances to ensure that personal data of citizens is not violated, or illegally used or processed,” the source said.
Another source said that in drafting the bill, the government also had to “keep the concerns of the Indian IT industry” in mind. “If any wide-aranging condition was stipulated on international internet companies to compulsorily store ‘all the data’ in India, a reciprocal condition could have been sought against Indian IT companies doing outsourcing/business abroad, impacting our over $100 billion exports that happen mainly to the US.
Any similar condition on Indian IT companies to compulsorily store data on foreign servers would have increased their costing, and priced them out of many large deals.” The bill also tackles other important issues such as giving an individual the ‘right to be forgotten’, which means that a person can petition internet companies to remove information about him from the web.

Be the first to comment

Leave a Reply

Your email address will not be published.