The IT Ministry is likely to propose that personal information which does not qualifies as either ‘critical’ or ‘sensitive’ should be allowed to be stored and processed anywhere, while data classified as ‘critical’ should be kept only in India under the draft Personal Data Protection Bill.
The proposal is significant as it marks a departure from the original draft of the Personal Data Protection Bill, which had recommended that copy of all personal data should be stored in the country.
The tweaking of this provision, if accepted, will spell a relief for companies.
The draft Data Protection Bill submitted by Justice BN Srikrishna Committee last year had also suggested that personal data that is of ‘critical’ nature should mandatorily be stored only in India, a stance that will be backed by the IT Ministry.
According to a government official, the IT Ministry is, however, of the view that not all personal data needs to be stored in India, and only ‘critical’ and ‘sensitive’ data should be kept here.
Also read:New data protection law to impact 50 existing Acts
While ‘critical’ personal data should be mandatorily stored only in India, ‘sensitive’ personal information should be stored and processed in India, but permitted to be transferred outside the country, the official pointed out.
The Ministry feels that there are adequate safeguards in the proposed Bill and even if a copy of all personal data is not stored in India, such information will anyway be governed by the stringent provisions of the data protection law, including penalty in event of a breach.
After the Justice Srikrishna Panel submitted its draft version of the Bill, the IT Ministry had sought public feedback on the provisions, and fine-tune the proposed document.
The draft legislation will now be placed before the Cabinet, after which it will be introduced in Parliament.
Change in stance
The official said the change in the clause pertaining to all kinds of personal data was primarily driven by industry feedback — both Indian and global companies — which argued that maintaining one copy of all information may become cumbersome, expensive and increase compliance burden on firms.
Also read:People, not the state, must own their data
“Most important change is that the original draft said that a copy of all personal data should be stored in India...ultimately, the Cabinet will take a call on the matter...IT Ministry is proposing that with regard to personal data only such data which is to be categorised as sensitive or critical needs to be stored in India,” the official told PTI .
Justice Srikrishna panel — which submitted its report on data protection as well as the draft Personal Data Protection Bill in July 2018 — had recommended that “every data fiduciary shall ensure the storage, on a server or data centre located in India, of at least one serving copy of personal data to which this Act applies”.
Defining critical data
The original draft had also stated that central government should notify categories of personal data as ‘critical’ that shall only be processed in a server or data centre located in India.
The Committee left it to the government to define critical personal data.
Also read:We’ve already lost the data privacy battle
The IT Ministry is learnt to be of the view that Data Protection Authority of India,(envisaged in the Bill) in consultation with the sector regulators and industry, should recommend to the government what kind of personal information qualifies as critical data.
The original version defines ‘Sensitive Personal Data’ as personal information related to passwords, financial data, health data, sex life, sexual orientation, biometric data, genetic data, transgender status, caste or tribe, religious or political affiliation; or other category of data specified by the authority.