The MeitY is investigating the possibility of weakening the data localisation requirements in the current draught of the Personal Data Protection Bill.
GS Paper 2: Government policies and interventions aimed at development in various sectors and issues arising out of their design and implementation.
Do you believe the Indian government’s intentions regarding data protection favour data localization? Analyze critically (250 words)
What exactly is data localisation?
- The storage of data on any device physically present within the borders of the country where the data was generated is referred to as data localisation.
- Many Indian start-ups have expressed concern that the current bill’s data localisation requirements are overly compliance-intensive and may impede the ease of doing business.
The Personal Data Protection Bill, 2019
- Personal Data Protection Bill, 2019, also known as the Privacy Bill, was introduced in Lok Sabha in December 2019.
- It seeks to protect individual rights by governing the collection, transfer, and processing of personal data.
- Data is any information, whether online or offline, that can be used to identify an individual and thus allows profiling of that individual.
The Bill governs personal data processing by I the government, (ii) companies incorporated in India, and (iii) foreign companies dealing with personal data of individuals in India.
Data is classified into three categories.
• Personal Data – Information about an individual’s characteristics, traits, or attributes that can be used to identify them.
• Sensitive Personal Data: Financial data, biometric data, caste, religious or political beliefs, and any other category of data specified by the government are examples of sensitive personal data.
• Critical personal data – The government has designated certain personal data as critical personal data, which can only be processed in India.
• Data fiduciary obligations
o A data fiduciary is an entity or individual who determines the means and purpose of processing personal data.
o Such processing will be subject to purpose, collection, and storage constraints.
• Grounds for processing personal data
o The Bill allows fiduciaries to process data only with the individual’s consent.
O Personal data can, however, be processed without consent in certain circumstances. These include: if the State is required to provide benefits to the individual, legal proceedings, and responding to a medical emergency.
• Social media intermediaries
o The Bill defines these as intermediaries that enable online interaction between users and information sharing.
o All such intermediaries that have users above a notified threshold and whose actions have the potential to impact electoral democracy or public order are subject to certain obligations.
This includes offering a voluntary user verification mechanism to Indian users.
• Data Protection Authority
o The Bill establishes a Data Protection Authority, which may take action to protect individuals’ interests, prevent misuse of personal data, and ensure Bill compliance.
o It will be led by a chairperson and comprised of six members with at least ten years of experience in data protection and information technology.
o The Authority’s orders can be appealed to an Appellate Tribunal. The Supreme Court will hear Tribunal appeals.
• Data transfer outside of India
o Sensitive personal data may be transferred outside India for processing if the individual expressly consents and certain additional conditions are met.
o However, such sensitive personal data should be kept in India.
o The government has designated certain personal data as critical personal data, which can only be processed in India.
• Sharing of non-personal data with government
o The central government may direct data fiduciaries to provide it with any: non-personal data and canonymised personal data (where the data principal cannot be identified) for better service targeting.
o Many start-ups have expressed concern that the current draught of the Personal Data Protection Bill’s data localisation requirements are overly compliance-intensive and may impede the ease of doing business. As a result, the ministry is considering weakening these standards.
Concerns raised about the data localisation clause
• Problem with compliance
o The draught Bill requires entities that deal with users’ personal data to keep it within India.
o Many third-party services are used by startups from companies that may not have a physical presence in India, and a strict localisation mandate hinders cross-border business.
o Furthermore, many start-ups have customers outside of India, and a localisation mandate could make doing business with international customers difficult.
• Concerns about privacy
o Despite the Supreme Court’s recognition of the right to privacy as a fundamental right, India lacks a strong privacy law.
o Giving the government the authority to decide what data is critical personal data will lead to abuse of power by the state.
o The Indian government may access these data in the name of national security.