wordpress blog stats
Data Protection Bill 2021: Summary of data localisation and transfer recommendations

Data Protection Bill 2021: Summary of data localisation norms and restrictions on cross border data transfers

Sarvesh MathionLeave a Comment on Data Protection Bill 2021: Summary of data localisation norms and restrictions on cross border data transfers

The Joint Parliamentary Committee reviewing the Personal Data Protection (PDP) Bill has recommended data localisation because of the economic, national security, and privacy benefits it provides. Specifically, all sensitive and critical personal data must be stored in India and can only be transferred outside India under certain conditions, according to the committee’s report.

Transferring sensitive personal data outside India based on contract or intra-group scheme

Sensitive personal data can be transferred outside India for processing when explicit consent is given by the data principal for such transfer, and where the transfer is made pursuant to a contract or intra-group scheme approved by the Data Protection Authority in consultation with the Central Government. Such schemes must ensure effective protection of the rights of the data principal, liability of the data fiduciary for harm caused due to non-compliance of the provisions of the scheme, and should not be against public policy or State policy. 

  1. Sensitive personal data is personal data, which may reveal, be related to, or constitute — financial data, health data, official identifier, sex life, sexual orientation, biometric data, genetic data, transgender status, intersex status, caste or tribe, religious or political belief or affiliation; any other data categorised as sensitive personal data by the government based on section 15 of the Bill.
  2. Critical personal data is not defined in the Bill and will be determined by the Central Government, the Bill said.
  • Earlier draft: In the Personal Data Protection (PDP) Bill 2019, the DPA did not have to consult the Central Government before approving a contract or intra-group scheme and the clause that a scheme will not be approved if it was against public policy or State policy was not present.
  • Reason for change: The committee reasoned that the DPA should invariably consult the central government while approving a contract or intragroup scheme and hence the words “in consultation with the Central Government” should explicitly be added to the clause. Furthermore, the committee noted that it was concerned about the “potential misuse of the provision by individuals or organizations with mala-fide intentions or by foreign entities whose actions might be inimical to the interests of the State” and therefore it added and defined the clause that a contract or intra-group scheme will not be approved if the object of such transfer is against public policy or State policy “to ensure a balance between the legitimate needs of businesses and the protection of the fundamental right of privacy of individuals and to protect the larger interests of the data principal vis-a-vis public policy.” 

Transferring sensitive personal data outside India based on countries meeting adequacy requirements

Sensitive personal data can be transferred outside the country when the Central government, after consultation with the Authority, has allowed the transfer to a country or, such entity or class of entities in a country or, an international organisation on the basis of its finding that:

  1. such sensitive personal data shall be subject to an adequate level of protection, having regard to the applicable laws and international agreements; 
  2. such transfer shall not prejudicially affect the enforcement of relevant laws by authorities with appropriate jurisdiction
  3. such sensitive personal data shall not be shared with any foreign government or agency unless such sharing is approved by the Central Government
  • Earlier draft: Subclause (c) is absent in the PDP Bill 2019.
  • Reason for change: The committee observed that the adequacy provisions of the Bill do not restrict transferring data from an approved country to a third country that is not approved by the government. In order “to safeguard the data of Indians and keeping in view the shifting nature of international relations,” the committee included the clause that “sensitive personal data shall not be shared with any foreign government or agency unless such sharing is approved by the Central Government.”

Transferring sensitive personal data outside India for any other approved specific purpose

Sensitive personal data can be transferred outside the country if the Data Protection Authority, in consultation with the Central Government, has allowed the transfer of any sensitive personal data or class of sensitive personal data necessary for any specific purpose.

  • Earlier draft: Earlier the clause “in consultation with the Central Government” was not specified.
  • Reason for change: The committee reasoned that since all other clauses required government consultation, this modification will “bring all clauses in sync with each other.” 

MediaNama’s Take: The latest iteration of the Bill requires government consultation for all the conditions under which transfer of sensitive personal data is possible, making the process of getting the necessary approvals even more cumbersome than before.

Transferring critical personal data outside of India

Critical personal data must only be processed in India, but may be transferred outside India only when such transfer is

  1. to a person or entity engaged in the provision of health services or emergency services where such transfer is necessary for prompt action
  2. to a country or, such entity or class of entities in a country or, an international organisation that meet the adequacy requirements as laid out above for sensitive personal data and where the Central Government has deemed such transfer to be permissible and not prejudicially affecting the security and strategic interest of the State.

Existing data must be mirrored

The committee has recommended that a mirror copy of the sensitive and critical personal data which is already in possession of the foreign entities be mandatorily brought to India in a time bound manner, and once the proper infrastructure and Data Protection Authority is established, “the Central Government must ensure that data localisation provisions under this legislation are followed in letter and spirit by all local and foreign entities and India must move towards data localisation gradually.”

Government must prepare policy for gradual data localisation

  • What should the policy cover? The committee has recommended that the Central Government must prepare and pronounce an extensive policy on data localisation encompassing aspects like:
    1. development of adequate infrastructure for the safe storage of data of Indians which may generate employment
    2. introduction of alternative payment systems to cover higher operational costs
    3. inclusion of a system that can support local business entities and startups to comply with the data localisation provisions laid down under this legislation
    4. promote investment, innovations, and fair economic practices
    5. proper taxation of data flow
    6. creation of local Artificial Intelligence ecosystem to attract investment and to generate capital gains
  • Revenue from data localisation must be used for welfare measures: The committee also recommended that the revenue generated out of data localisation may be used for welfare measures in the country, especially to help small businesses and startups to comply with data localisation norms.
  • Ease of doing business must be kept in mind: The committee also wrote that the steps taken by the government for data localisation must guarantee ease of doing business in India and promote initiatives such as Make in India, Digital India, and Start-up India.
  • Government surveillance must be based on necessity: “Government’s surveillance on data stored in India must be strictly based on necessity as laid down in the legislation,” the committee said.

What are the benefits of data localisation?

  1. Access to data for government and law enforcement agencies: “Data localization would lead to easier access to data for the Government and law enforcement agencies, thus facilitating better law enforcement,” the report states. Timely access to personal information is major requirement for law enforcement agencies, the report said.
  2. Privacy of citizens: In the absence of data localization, any compromise with the personal data of individuals in other countries may have very few remedial opportunities to individuals. Hence, data localization norms can be very helpful in personal data and privacy protection, which is the prime objective of this Bill,” the report reads. By keeping the data in India, the government can ensure privacy with appropriate regulations, the committee said.
  3. Economic value: “Data is core to the future of our economy and is unlike any other resource. Data is now treated as an asset, deriving implicit value generated from insights, patterns and distribution of data and its amalgamation with other data.” the committee wrote in its report. 
  4. Employment generation: Data localisation will drive the emergence of data centres and associated industries, which will in turn create signifiant employment opportunities.
  5. Domestic IT Companies: With the appropriate data localization norms in place, Indian companies can easily avail the data storage and hosting services within India, as the data centre infrastructure in India will be substantially enhanced. IT infrastructure companies will also be encouraged to make investments in setting up hyperscale data centres and other IT infrastructure within the country,” the committee wrote. 
  6. Foreign IT Companies: “These companies, while complying with the regulations, will need to set up new data centres and other IT infrastructure in the country, thus increasing their investments in India,” the committee said.

How can data localisation be achieved?

According to the committee, data localisation can have the following dimensions:

  1. Hard localisation: “Data is stored only within the country and is not permitted to be transferred to any other country. This is known as hard localization,” the committee wrote.
  2. Soft localisation: “Data is primarily stored in one country and available for use. However, data can also be transferred to other countries. This is known as soft localization,” the committee wrote. India’s Data Protection Bill takes the soft localisation approach.

What are some of the key issues concerning the data localisation norms?

  • Uncertainty on critical personal data: While the Bill defines what sensitive personal data constitutes, critical personal data remains undefined, leaving it for the government to define at a later stage.
  • Segregation of data sets: A lot of data will be a combination of personal data and sensitive personal data and segregating them will be onerous, making the data localisation norms applicable to the whole data set, one the speakers at a MediaNama discussion held in January 2020 pointed out.
  • Enforcing the norms: “You just have to say I have done it […] But, in reality, there are maybe a hundred different ways in which data can still keep going outside the country because of how hard it is to perform localisation along with segregation,” one speaker said.
  • Economic arguments fall flat: Several speakers at the MediaNama discussion concurred that data localisation’s economic argument falls flat, simply because how can one leverage data stored within India when the same data is also protected under a privacy law. 
  • Burdensome on smaller companies: While bigger companies will have the resources to comply with the data localisation norms, smaller companies will find it onerous and this might discourage start-up innovation. 
  • Some technologies rely on the distribution of data: Some technologies like cloud computing, data analytics, and AI/ML (Machine Learning) operations rely on the distribution of data and restricting this will undermine Indian organisations’ competitiveness compared to their global counterparts, a report by the Data Security Council of India (DSCI) and US-based Centre for Information Policy Leadership (CIPL) stated.
  • Creates a single point of vulnerability: Concentrating storage systems in India would create a single point of vulnerability. Distributing servers across the world helps businesses preserve the continuity of business in the face of hackers and natural disasters, the DSCI report added.
  • Seeking explicit consent from users is unnecessary: “Requiring consent on top of a contract, intra-group scheme or adequacy finding does not necessarily give users additional protections because such mechanisms already “impose separate and clear obligations to protect the data,” the DSCI report stated.

Data localisation norms of RBI

Separate from the Data Protection Bill, the Reserve Bank of India April 2018 issued directions requiring all data relating to payment systems to be stored in India. This includes customer data like name, mobile number, account number, payment data like OTPs, passwords, and transaction data like origin and destination system information, transaction reference, timestamp, amount, etc.

Due to the lack of non-compliance with these norms, three major international card operators — Mastercard, American Express, and Diners Club — were barred from issuing new cards. While the ban on Diners Club was lifted in November, the other two continue to be barred.

[gravityform id=”1″ title=”true” description=”true”]

Subscribe to MediaNama to get access to our ongoing coverage of the bill. Here is everything we have planned around the report:

 

Leave a Reply

Your email address will not be published. Required fields are marked *