The Data Protection Bill, which has been cleared by the Cabinet, envisages “sensitive” personal data to be stored in India, but it can be processed outside the country with the explicit consent of the individual concerned. The sensitive personal data will include health records, financial data, sexual orientation, biometrics, genetic data, transgender status, religious or political beliefs or affiliations, said the official source.
However, “critical” personal data, which is another classified data, can only be stored and processed in India and will not leave the country. What constitutes “critical data” will be defined by the government at the time of framing regulations. Sources said the data protection Bill does not require companies to store and process “all” personal data in India. The Bill will be introduced in the current session of Parliament, said a source.
The Bill will let government to request non-personal data from any company for “planning”. The social media platforms will have to develop a verification mechanism that is voluntary for users but will decrease anonymity. Companies may face a penalty of up to Rs 15 crore or 4 per cent of global turnover for major violations under the proposed Personal Data Protection law, according to the official source.
“In case of major violations, Personal Data Protection Bill proposes penalty of up to Rs 15 crore or 4 per cent of global turnover (whichever is higher). For minor violation, penalty of Rs 5 crore or 2 per cent of global turnover is proposed,” a source said. “The data privacy law exempts processing of data without consent in case of issues around sovereignty, national security and court order,” the source said.
