India’s Personal Data Protection Bill Likely to be Reintroduced Soon; May Relax Localization Rules

India’s Personal Data Protection (PDP) Bill is likely to be introduced again in Parliament in the winter session with some changes. The previous draft, withdrawn earlier this year, had received significant criticism from companies for its strict rules on storing Indians’ data within the country. When most employment data transfers are exempt from the restriction, companies should be aware of the possible limitation of collecting Social Security Numbers of employees. 

The Bill, which was previously approved by the government in 2019 after almost 5 years of deliberations, proposed restrictions on the use of personal information of people without their explicit consent. However, several exceptions to this rule, one of them being that personal data, except for sensitive personal data, may be processed without consent for purposes relating to employment. 

The revised version of the bill is likely to contain relaxed provisions on data localisation and cross-border flow of data, said Rajeev Chandrasekhar, the minister of state for electronics and information technology.  

HRPI Outlook: HR Policy in India held a conversation with Karnika Seth, a cybersecurity lawyer. Dr. Seth emphasized that while HR-specific data may not be required to be stored locally, but it should be made available in case law enforcement agencies require it. Additionally, financial data such as credit card numbers and social security (Aadhar) numbers will be required to be stored locally and be protected. We recommend that HR teams in India may need to review processes pertaining to seeking Aadhar numbers or similar information which is likely to be one of the most protected forms of information in the new bill.