No blanket order on data storage in India, walks fine line between citizens, the state and the industry.
The committee on data protection headed by retired justice BN Srikrishna which submitted its report to the government on Friday has struck a middle path and not recommended a blanket local data storage within the country, an issue currently being hotly debated among policymakers and industry stakeholders. It has identified circumstances under which data has to be compulsorily stored in the country, and cases where it can be stored with mirroring provisions. The report has said that critical data will have to be stored in the country.
In its 213-page report detailing the legal provisions and the architecture of the proposed data protection law, the panel has said that cross-border data transfers of personal data, other than critical personal data, will be through model contract clauses containing key obligations with the transferor being liable for harm caused to the principal due to any violations committed by the transferee.
“It is a monumental law and we would be like to have widest parliamentary consultation… We want Indian data protection law to become a model globally, blending security, privacy, safety and innovation,” IT minister Ravi Shankar Prasad, to whom the report was submitted, said. He added that the report will go through the process of inter-ministerial consultations and Cabinet as well as parliamentary approval.
Justice Srikrishna said privacy has become a burning issue and, therefore, every effort has to be made to protect data at any cost. He added that the report straddles three aspects — citizens, the state and the industry.
The report has said that personal data determined to be critical will be subject to the requirement to process only in India (there will be a prohibition against cross-border transfer for such data). The central government should determine categories of sensitive personal data which are critical to the nation having regard to strategic interests and enforcement requirements, the report has said.
Sensitive personal data will include passwords, financial data, health data, official identifier, sex life, sexual orientation, biometric and genetic data, and data that reveal transgender status, intersex status, caste, tribe, religious or political beliefs or affiliations of an individual.
Personal data relating to health will, however be permitted to be transferred for reasons of prompt action or emergency. Other such personal data may additionally be transferred on the basis of central government approval, according to the recommendations.
On other types of personal data (non-critical), the panel has said that they will be subject to the requirement to store at least one serving copy in India.
On the jurisdiction aspect of the proposed law, the panel has said that the law will have jurisdiction over the processing of personal data if such data has been used, shared, disclosed, collected or otherwise processed in India.
“However, in respect of processing by fiduciaries that are not present in India, the law shall apply to those carrying on business in India or other activities such as profiling which could cause privacy harms to data principals in India,” the panel said.
Additionally, personal data collected, used, shared, disclosed or otherwise processed by companies incorporated under Indian law will be covered, irrespective of where it is actually processed in India. However, the data protection law may empower the central government to exempt such companies that only process the personal data of foreign nationals not present in India.
The panel has said that the proposed law will not have retrospective application and it will come into force in a structured and phased manner.
The committee has said that various current laws like the IT Act, the Aadhaar Act, and the right to information law would require suitable amendments to conform with the data protection law. Accordingly, the panel has identified a list of 50 statutes and regulations that have a potential overlap with the data protection framework. “Concerned ministries may take note of this and ensure appropriate consultation to make complementary amendments where necessary,” the report said.
The entire architecture would be governed by a regulatory body, Data Protection Authority which will have a chairman as well as members. Any dispute with its regulations or orders can be challenged with an appellate authority, which the government may create separately or give the authority to any existing appellate body, according to the recommendations.