The IT Ministry is likely to propose that personal information which neither qualifies as ‘critical’ nor ‘sensitive’ should be allowed to be stored and processed anywhere, while data classified as ‘critical’ should be kept only in India under the draft Personal Data Protection Bill.
The proposal is significant as it marks a departure from the original draft of the Personal Data Protection Bill, which had recommended that copy of all personal data should be stored in the country. The tweaking of this provision, if accepted, will spell a relief for companies.
The draft Data Protection Bill submitted by Justice B N Srikrishna committee last year had also suggested that personal data that is of ‘critical’ nature should mandatorily be stored only in India, a stance that will be backed by the IT Ministry.
According to a government official, the IT Ministry is, however, of the view that not all personal data needs to be stored in India, and only critical and sensitive data should be kept here.
While ‘critical’ personal data should be mandatorily stored only in India, ‘sensitive’ personal information should be stored and processed in India but permitted to be transferred outside the country, the official pointed out.
The IT ministry feels that there are adequate safeguards in the proposed Bill and even if a copy of all personal data is not stored in India, such information will anyway be governed by the stringent provisions of the data protection law, including penalty in event of a breach.
After the Justice Srikrishna panel submitted its draft version of the Bill, the IT Ministry had sought public feedback on the provisions, and fine-tune the proposed document. The draft legislation will now be placed before the Cabinet, after which it will be introduced in Parliament.
The official said the change in the clause pertaining to all kinds of personal data was primarily driven by industry feedback – both Indian and global companies – which argued that maintaining one copy of all information may become cumbersome, expensive and increase compliance burden on firms.
“Most important change is that the original draft said that a copy of all personal data should be stored in India…ultimately, the Cabinet will take a call on the matter…IT Ministry is proposing that with regard to personal data only such data which is to be categorised as sensitive or critical needs to be stored in India,” the official told PTI.
Justice Srikrishna panel – which submitted its report on data protection as well as the draft Personal Data Protection Bill in July 2018 – had recommended that “every data fiduciary shall ensure the storage, on a server or data centre located in India, of at least one serving copy of personal data to which this Act applies”.
The original draft had also stated that central government should notify categories of personal data as ‘critical’ that shall only be processed in a server or data centre located in India. The committee left it to the government to define critical personal data.
The IT ministry is learnt to be of the view that Data Protection Authority of India – envisaged in the Bill – in consultation with the sector regulators and industry should recommend to the government what kind of personal information qualifies as critical data.
The original version defines ‘Sensitive Personal Data’ as personal information related to passwords, financial data, health data, sex life, sexual orientation, biometric data, genetic data, transgender status, and caste or tribe, religious or political affiliation; or other category of data specified by the authority. PTI MBI