Dilution of Srikrishna panel recommendations which had said firms need to store a copy locally
In a major concession to overseas players, a high-level government panel has done way with the need for foreign firms to store a copy of all personal data within India. In a dilution of the recommendations of the Justice Srikrishna committee, firms with access to such data can now store and process them abroad. However, all critical personal data must still be stored and processed in the country.
The Srikrishna panel had recommended that while personal data can be processed and stored abroad, a copy needs to be stored here. The concession could be the result of reservations expressed by several US and Europe-based companies. However, at a recent meeting on the Srikrishna panel report, officials from the Prime Minister’s Office (PMO), department of telecommunications, ministry of information technology and electronics, NITI Aayog and department of promotion of industry and internal trade, decided to hold further discussions with all stakeholders to decide what would constitute critical personal data.
As a result, the data protection Bill will not be tabled in the current session of Parliament. For its part, the Srikrishna committee report had said that critical personal data will include passwords, financial data, health data, official identifier, sex life, sexual orientation, biometric and genetic data, and data that reveals transgender status, intersex status, caste, tribe, religious or political beliefs or affiliations of an individual.
However, it had added that the government should define critical personal data. “The Central government should determine categories of sensitive personal data which are critical to the nation having regard to strategic interests and enforcement requirements,” it had said.
The government panel has, however, agreed with the Srikrishna panel on health data where it had said personal data relating to health should be permitted to be transferred abroad for reasons of prompt action or emergency. The relaxation by a government panel with regard to storage and processing of personal data comes after last month RBI also relaxed its April 2018 circular which required that all payment data generated in India should be stored within the country.
This came as some sort of relaxation for major international firms such as American Express, Visa, Mastercard, Amazon, Paypal, Western Union, etc. In its amended circular, RBI has allowed such international firms to store data abroad in cases where the transaction originates in the country but gets completed overseas, with a proviso that a mirror copy in such transactions be stored in India. However, for end-to-end domestic transactions all storage still needs to be done within the country.
Earlier, the RBI had not made a clear-cut distinction between transactions which are completed within the country and transactions which originate here and get completed overseas.
In its responses to the Srikrishna panel report, the European Union (EU) had said the Indian government should not stress on data localisation as apart from being unnecessary and potentially harmful to the cause of data protection, any such measure would create unnecessary costs, difficulties and uncertainties that could hamper business and investments.
“As a matter of economic policy, such an approach (data localisation) will create significant costs for companies — in particular, foreign ones — linked to setting up additional processing/storage facilities, duplicating such infrastructure etc and is thus likely to have negative effects on trade and investment. If implemented, this kind of provision would also likely hinder data transfers and complicate the facilitation of commercial exchanges, including in the context of EU-India bilateral negotiations on a possible free trade agreement,” EU had said.