Resources

Data Localization & The New India Data Protection Regime

Introduction & Background

The opponents of the new Personal Data Protection Bill, 2019 (hereinafter referred to as the “Bill”) see it as an almost Orwellian attempt to subvert the privacy of citizens through the means of technology and digital data. The Government has been given wide powers when it comes to the collection as well as retrieval of data, something especially troublesome in the context of many governments globally indulging in mass surveillance of their citizens, and the recent concerns on privacy because Aadhaar, as well as the National Population Register(“NPR”) and National Registry of Citizens (“NRC”). 

Over the last decade we have seen how destructive, the use of personal data can be. We have seen authoritative regimes like China, Russia etc. use it to track and persecute political opponents as well controversial entities like Cambridge Analytica using private data in Election analytics potentially swinging the vote in favour of their clients. Over and above this Russia and China especially have gathered infamy for using data of the citizens of other countries for their gain, especially when we see the number of digital applications originating out of China and the consequent amount of user data available to these entities it becomes clear why Data localization is serious demand of many people. 

Data Localization 

Whilst these are the wider constructional and human rights perspectives of the new Bill, the bill is set to have a massive impact on digital media and e-commerce entities. One interesting part of this is the aspect of data localization.

Data localization has been one of the most controversial aspects of the Bill. The proponents of the Bill would describe the provisions relating to data localization as a good middle ground between the interests of the Data Principle i.e. the consumer to whom the data relates, and those of the E-Commerce entities as well as other corporate interests.

Reserve Bank of India Notification

On 6th April, 2018 the Reserve Bank of India (“RBI”) vide notification titled Storage of Payment Data[1] mandated storage of payments related data in India, thus setting the tone for the Indian data localization regime. This requirement does not fall on E-commerce entities but it does fall on System providers who provide Payment Systems as defined under Payment & Settlement Systems Act, 2007. The notification required that the entire data relating to payment systems operated by them is stored in a system in India and that the entire data relating to payment systems operated by them are stored in a system only in India. This data is required to include the full end-to-end transaction details. For the foreign leg of the transaction, if any, the data may also be stored in a foreign country, if required. 

Legislative Background to the Bill

While the 2018 Justice B.N. Srikrishna Committee suggested stringent data localization norms much in the tune of the RBI Notification providing all personal data to be processed within the borders of India and the same was reflected in the 2018 draft of the Bill, the 2019 Bill provides certain exemptions.

The Bill & Data Localization

Section 33 of the 2019 bill provides a distinction within “Personal Data”, primarily for the purposes of the 2019 Bill. There are three kinds of data “Sensitive Personal Data”“Critical Personal Data” and the remaining other kinds of personal data. 

Sensitive Personal Data 

Sensitive Personal Data is defined as such personal data which is related to financial data, health data, official identifier data, sex life related data, sexual orientation, biometric data, genetic data, transgender status of the data principle, intersex status, caste or tribe, religious or political belief or affiliation or any other personal data under section 15 I.e. any Personal data that the government in consultation with the authority under the bill and the sectoral regulators concerned may notify as Sensitive Personal Data. [2]

Sensitive Personal Data may be transferred outside the country subject to the provisions of section 34, however, it must be stored in India.[3] The Bill further provides the conditions under which Sensitive Personal Data may be transferred outside the country. It states that the consent of the Data Principle for such transfer is explicitly required.[4] Furthermore, the transfer of such Sensitive Personal Data must be made pursuant to a contract or intra-group scheme that is approved by the Authority under the Bill(hereinafter referred to as  “Authority”), also the requirements for such intragroup scheme to be approved are that it must provide effective protection of the rights of the Data Principle as given in the Bill and that it puts liability on the data fiduciary for harm caused due to any non-compliance.[5]

The central government can also allow transfer off Sensitive Personal Data after consultation with the Authority provided that such personal data is given an adequate level of protection and regard is given to the applicable laws.[6] The Authority under the bill itself is also empowered to allow the transfer of any sensitive personal data.[7] Regardless of how such transfer is made, it must be notified to the authority under Bill. [8]

Critical Personal Data

Critical Personal Data has been described as such data which the central government may notify. This clearly shows that the government is keeping the ball in its own court and the real extent of the compliance concerning data localization that e-commerce platforms will have to face will only be realized once the allied rules & regulations under the Bill come to light.[9] 

Even though Section 33 provides that Critical Personal Data cannot be transferred abroad, section 34 provides certain conditions where Critical Personal Data can be transferred outside the country. It may be transferred to a person or entity engaged in the provision of health services or emergency services where any action is needed under section 12 of the Bill which provides for grounds for processing personal data without consent or where the central government deems it appropriate. [10] However, this isn’t applicable in the case of e-commerce entities. Regardless of how such transfer is made, it must be notified to the authority under Bill. [11]

Conclusion

The Bill provides for exceptions for certain Sensitive Personal Data to be transferred abroad only under Section 34 as described above, whilst Critical Personal Data will in most cases not be allowed to be transferred outside India, however, looking at the definitions of Sensitive Personal Data and Critical Personal Data it is very unclear how the compliance to data localization norms will look like. 

However, once the Bill is enacted into law, this much is clear that Sensitive Personal Data, is that which may, reveal, be related to, or constitute financial data, health data, official identifiers like Aadhar and PAN, sex life related information, sexual orientation, biometric data, genetic data, transgender status, intersex status, caste or tribe, religious or political belief or affiliation and will have to be stored in India. A silver lining is that any data which doesn’t fall under the above may be stored abroad. Recently, Google has submitted before the parliamentary panel on data protection against data localization which has not found favour with the members of the panel (Source IndianExpress.com). It remains to be seen if the panel decides to dilute the data localization requirements or not.

By Abhay Pratap Singh and Aaryaan Sadanand

 [1] https://www.rbi.org.in/scripts/NotificationUser.aspx?Id=11244

[2] in the 2019 Bill under Section 3(36)

[3] Section 33(2)

[4] Section 34(1)

[5] Section 34(1)a 

[6] Section 34(1)b

[7] Section 34(1)c

[8] Section 34(3) 

[9] Section 33(2) 

[10] Section 34(2)

[11] Section 34(3) 

Prev PostOmission of Regulation 26(2): A double-edged sword
Next PostWithdrawal of Resolution Plan: Supreme Court stays NCLAT Judgment in Kundan Care Products Ltd. v. Amit Gupta
office@gnslegal.in Drop Us a Message
+91 11 4986 8147, 4986 8149 Call Us
J-29, First Floor, Jangpura Extension, Near EROS One, New Delhi - 110014 Locate Us
Copyright 2020 GnS Legal, All rights reserved.Developed by Binobe


DISCLAIMER

As per the rules of the Bar Council of India, we are not permitted to solicit work and advertise. By clicking on the "I agree" below, the user acknowledges the following:

  • there has been no advertisement, personal communication, solicitation, invitation or inducement of any sort whatsoever from us or any of our members to solicit any work through this website;
  • the user wishes to gain more information about us for his/her own information and use;
  • the information about us is provided to the user only on his/her specific request and any information obtained or materials downloaded from this website is completely at the user’s volition and any transmission, receipt or use of this site would not create any lawyer-client relationship.

The information provided under this website is solely available at your request for informational purposes only, should not be interpreted as soliciting or advertisement. We are not liable for any consequence of any action taken by the user relying on material / information provided under this website. In cases where the user has any legal issues, he/she in all cases must seek independent legal advice.