The MeitY is looking at the possibility of diluting the norms related to data localisation requirements in the current draft of the personal data protection Bill.
What is ‘data localisation’?
- Data localisation is referred as storage of data on any device physically present within the borders of specific country where data was generated.
- Many Indian start-ups had raised the issue that data localisation requirements in the current bill are too compliance intensive and could hamper ease of doing business.
- Therefore, the Ministry of Information Technology is looking at the possibility of diluting these norms.
About the ‘Data Protection Bill’ –
- The Bill, commonly referred to as the Privacy Bill, was introduced in Lok Sabha in December 2019.
- It intends to protect individual rights by regulating the collection, movement, and processing of personal data.
- Personal data includes information – online or offline – that could be used to identify an individual and hence allows profiling that person.
Provisions of the bill –
- Applicability — The Bill governs the processing of personal data by: (i) government, (ii) companies incorporated in India, and (iii) foreign companies dealing with personal data of individuals in India.
- Data divided into three categories —
- Personal Data – Data which pertains to characteristics, traits or attributes of identity, which can be used to identify an individual.
- Sensitive personal data – This includes financial data, biometric data, caste, religious or political beliefs, or any other category of data specified by the government.
- Critical personal data – Certain personal data notified as critical personal data by the government can only be processed in India.
- Obligations of data fiduciary —
- A data fiduciary is an entity or individual who decides the means and purpose of processing personal data.
- Such processing will be subject to certain purpose, collection and storage limitations.
- Grounds for processing personal data —
- The Bill allows processing of data by fiduciaries only if consent is provided by the individual.
- However, in certain circumstances, personal data can be processed without consent. These include –
- if required by the State for providing benefits to the individual,
- legal proceedings,
- to respond to a medical emergency.
- Social media intermediaries —
- The Bill defines these to include intermediaries which enable online interaction between users and allow for sharing of information.
- All such intermediaries which have users above a notified threshold, and whose actions can impact electoral democracy or public order, have certain obligations.
- This includes providing a voluntary user verification mechanism for users in India.
- Data Protection Authority —
- The Bill sets up a Data Protection Authority which may take steps to protect interests of individuals; prevent misuse of personal data; and ensure compliance with the Bill.
- It will consist of a chairperson and six members, with at least 10 years’ expertise in the field of data protection and information technology.
- Orders of the Authority can be appealed to an Appellate Tribunal. Appeals from the Tribunal will go to the Supreme Court.
- Transfer of data outside India —
- Sensitive personal data may be transferred outside India for processing if explicitly consented to by the individual, and subject to certain additional conditions.
- However, such sensitive personal data should continue to be stored in India.
- Certain personal data notified as critical personal data by the government can only be processed in India.
- Sharing of non-personal data with government —
- The central government may direct data fiduciaries to provide it with any –
- non-personal data and
- anonymised personal data (where it is not possible to identify data principal) for better targeting of services.