Personal Data Protection Bill: India Dilutes Data Localisation Proposal; Allows Transfer With Conditions

(This is the third part in the series of BloombergQuint’s coverage on Personal Data Protection Bill, 2019. The first part on obligations proposed for data fiduciaries can be found here and the second on rights of users, here.)

One of the most keenly watched and debated provisions in the Personal Data Protection Bill was data localisation. The bill makes it clear that personal data can be transferred outside India, subject to fulfillment of certain conditions. It also provides for different methods of transfer depending upon the class such data fall into—sensitive and critical personal data.

Transfer Of Sensitive Personal Data

Sensitive personal data has been defined in Section 3(36) of the bill. It include financial data, health data, official identifier, sex life, sexual orientation, biometric data, genetic data, transgender status, intersex status, caste or tribe, religious or political belief or affiliation under its ambit.

The bill allows for the transfer of sensitive personal data outside India but mandates that they have to be stored in India as well. The sensitive personal data, however, cannot be transferred without the user’s consent.

Also, the cross-border transfer will require the permission of the data protection authority. While granting the permission, the authority has to ensure that there is effective protection of the users’ rights and provisions for liability of data fiduciary if any harm is suffered by the users. The authority has also been allowed to transfer data for any specific purpose.

The central government, too, has been given the power to allow transfer of data outside India. But it will have to ensure that these conditions are fulfilled:

• Such sensitive personal data shall be subject to an adequate level of protection, having regard to the applicable laws and international agreements.
• Such transfer shall not prejudicially affect the enforcement of relevant laws by authorities with appropriate jurisdiction.

In effect, the bill has addressed the concerns around data localisation as the original draft submitted by Justice Sri Krishna committee had recommended that any sensitive personal data could not be processed outside, said Sajai Singh, partner at J. Sagar Associates. Through this bill, Singh said, the government has allowed mirroring of data, which means that they can be allowed to be processed outside but a copy has to be kept in India.

Rajan Mathews, director general of Cellular Operators Association of India, said the government seemed to have followed the European model for data protection, which means that transfer of data outside India would be allowed but only when it is ensured that such data would get the same protection as it is given by Indian laws.

Transfer Of Critical Personal Data

According to the Section 33(2) of the Personal Data Protection Bill, critical data can be processed only in India. The central government will be the authority to decide which category of data will be considered as critical data.

While the central government can grant an exemption to this provision in two situations, it has to ensure that such a transfer doesn’t affect the security and strategic interests of the country.

The transfer of critical personal data of an individual can be permitted:

• To a person or entity engaged in the provision of health services or emergency services where such transfer is necessary for prompt action under Section 12.
• To a country or, any entity or class of entity in a country or, to an international organisation, where the central government has deemed such transfer to be permissible and such transfer in the opinion of the central government does not prejudicially affect the security and strategic interest of the state.

Singh of J. Sagar Associates, however, said it wouldn’t be possible to guess what sort of data could be classified as critical personal that have to be processed only in India but it should be the “tip of the iceberg in terms of categorisation of data on the basis of their sensitivity”.

“Personal data can identify an individual. For example, the address or some such characteristic. Sensitive data are considered to be that part of personal data that an individual doesn’t want to share with everyone. This definition varies from country to country depending on its social ethos,” Singh said. “Beyond this categorisation will be critical personal data. It will be something which can be useful or important which if misused can cause an issue for the nation, society, community or a larger group of people, apart from just the individual.’’

The sensitivity and ramifications of misuse of critical personal data is very very high, Singh said, adding the government, it seems, is saying that only such data cannot be processed outside India, whereas sensitive personal data and other personal data can be transferred outside India.

The Personal Data Protection Bill was approved by the Union Cabinet on Dec. 6, 2019. It was introduced in the Lok Sabha by Information and Technology Minister Ravi Shankar Prasad. The lower house decided to send the bill to a joint select committee, which will include members from both houses of Parliament, PTI reported.