The MeitY is looking at the possibility of diluting the norms related to data localisation requirements in the current draft of the personal data protection Bill.


What is ‘data localisation’?

  • Data localisation is referred as storage of data on any device physically present within the borders of specific country where data was generated.
  • Many Indian start-ups had raised the issue that data localisation requirements in the current bill are too compliance intensive and could hamper ease of doing business.
  • Therefore, the Ministry of Information Technology is looking at the possibility of diluting these norms.


About the ‘Data Protection Bill’

  • The Bill, commonly referred to as the Privacy Bill, was introduced in Lok Sabha in December 2019.
  • It intends to protect individual rights by regulating the collection, movement, and processing of personal data.
  • Personal data includes information – online or offline – that could be used to identify an individual and hence allows profiling that person.


Provisions of the bill

  • Applicability — The Bill governs the processing of personal data by: (i) government, (ii) companies incorporated in India, and (iii) foreign companies dealing with personal data of individuals in India.
  • Data divided into three categories —
    • Personal Data – Data which pertains to characteristics, traits or attributes of identity, which can be used to identify an individual.
    • Sensitive personal data – This includes financial data, biometric data, caste, religious or political beliefs, or any other category of data specified by the government.
    • Critical personal data – Certain personal data notified as critical personal data by the government can only be processed in India.
  • Obligations of data fiduciary —
    • A data fiduciary is an entity or individual who decides the means and purpose of processing personal data.
    • Such processing will be subject to certain purpose, collection and storage limitations.
  • Grounds for processing personal data —
    • The Bill allows processing of data by fiduciaries only if consent is provided by the individual.
    • However, in certain circumstances, personal data can be processed without consent. These include –
      • if required by the State for providing benefits to the individual,
      • legal proceedings,
      • to respond to a medical emergency.
  • Social media intermediaries —
    • The Bill defines these to include intermediaries which enable online interaction between users and allow for sharing of information.
    • All such intermediaries which have users above a notified threshold, and whose actions can impact electoral democracy or public order, have certain obligations.
      • This includes providing a voluntary user verification mechanism for users in India.
  • Data Protection Authority —
    • The Bill sets up a Data Protection Authority which may take steps to protect interests of individuals; prevent misuse of personal data; and ensure compliance with the Bill.
    • It will consist of a chairperson and six members, with at least 10 years’ expertise in the field of data protection and information technology.
    • Orders of the Authority can be appealed to an Appellate Tribunal. Appeals from the Tribunal will go to the Supreme Court.
  • Transfer of data outside India —
    • Sensitive personal data may be transferred outside India for processing if explicitly consented to by the individual, and subject to certain additional conditions.
    • However, such sensitive personal data should continue to be stored in India.
    • Certain personal data notified as critical personal data by the government can only be processed in India.
  • Sharing of non-personal data with government —
    • The central government may direct data fiduciaries to provide it with any –
      • non-personal data and
      • anonymised personal data (where it is not possible to identify data principal) for better targeting of services.