Data Localisation and the Personal Data Protection Bill, 2019

The issue of data localisation has come under renewed focus in the past few months. While the proposed Personal Data Protection Bill, 2019 (“PDPB”) largely adopts the three pronged model that the Justice Srikrishna Committee recommended, it has not adopted the data localisation provisions from the draft bill proposed by the Justice Srikrishna Committee. The relevant provisions of the PDPB have been summarised before considering their issues and implications:

The PDPB limits data localisation to sensitive personal data (“SPDI”) and critical personal data alone and stipulates that (i) SPDI may be transferred provided that such SPDI should continue to be stored in India; and (ii) critical personal data shall only be processed in India.

In addition to the requirement of express consent from the data principal, SPDI may be transferred outside India only if (i) such transfer is pursuant to a contract or intra-group scheme approved by the Data Protection Authority under the PDPB (“DPA”); or (ii) such transfer has been permitted by the government on the basis of findings that adequate data protection will be provided and it will not prejudicially affect enforcement by authorities; or the DPA has allowed such transfer for a specific purpose.

Issues and implications:

1. Unclear obligations: There is ambiguity on the requirement of continuing to store SPDI that is transferred outside India, within India. While it is likely that the intent is to have all SPDI mirrored in India, the provisions can be strictly interpreted to mean that SPDI must be stored in India alone and while it can be transferred outside India, it cannot be stored outside India. This ambiguity is further highlighted by the fact that the PDPB does not refer to copies being stored in India, like the draft bill proposed by the Justice Srikrishna Committee.

2. Segregation: Segregating large volumes of data into SPDI and other personal data may be impractical and may lead to situations where companies decide that all data be mirrored. The fact that critical personal data cannot be transferred outside India will need further segregation before any data is transferred.

3. Establishment of infrastructure and regulatory approval: Large investments will need to be made by entities collecting SPDI of data principals within India and entities that have been storing and processing Indian data at facilities outside India will have to either establish or contract for local infrastructure to also store such data. Entities will also need to have their offshoring agreements vetted by the DPA before the transfer of data and the PDPB does not contemplate the use of pre-approved standard contractual clauses, as recommended by the Justice Srikrishna Committee.

4. Timelines: While no time period has been prescribed, affected entities may not be in a position to comply with the obligations if they are not provided lead time to ensure the required infrastructure is available to them. Companies will also have to ensure that their outsourcing arrangements are approved by the DPA and unless lead time is provided before these provisions are implemented, offshore data processing will be impacted.

While there are legitimate reasons to mandate data localisation, it is imperative that the data localisation requirements be introduced in a manner that will cause least disruption and after providing time to ensure compliance with the new regulatory regime.

Authors:

Anind Thomas, Partner
Gautam Rego, Senior Associate
Sherien Kaul, Associate

Date: November 10, 2020