304 North Cardinal St.
Dorchester Center, MA 02124
What did the data localization bill say? What did the data localization bill say?
Story so far: On Wednesday, August 3, the Center government withdrew the Privacy Bill that it introduced in the Lok Sabha on December 11, 2019. The bill, which had undergone intense scrutiny by the Joint Parliamentary Committee (JPC), would now be replaced by a “new law that fits into a comprehensive legal framework,” according to the government’s downloadable statement. Information Technology Minister Ashwini Vaishnaw said the new bill is in an advanced stage of preparation and may be introduced in the budget session next year.
What is the origin of the law?
In a key Justice K.S. In the case of Puttaswamy (Retd) vs Union Of India, the Supreme Court of India in 2017 held that the right to privacy is an integral part of the right to life and personal liberty guaranteed by the Constitution of India. In light of this judgment and growing concerns over how big tech platforms handled the personal data of their Indian users, the Center in 2017 set up an expert panel chaired by former Supreme Court judge B.N. Srikrishna to formulate a regulatory framework for data protection. The Srikrishna Committee submitted its report and draft Data Protection Bill to the Ministry of Electronics and Information Technology on 27 July 2018.
However, a bill introduced by the ministry in Parliament a year later was criticized by Justice Srikrishna for giving the central government far more control over data than the committee’s proposal had envisaged.
The JPC, which then deliberated on the bill, submitted its report in November 2021 on the clearing of clause 35, a provision that allows government agencies to circumvent provisions of the bill citing “public order”, “sovereignty”, “friendly relations with foreign states” and “national security “. Opposition JPC members submitted strong dissenting remarks along with the report.
Why was the bill withdrawn now?
Despite retaining access to the data, the government has now withdrawn the bill, citing a significant number of amendments, recommendations and corrections suggested by the JPC. The 542-page JPC report contains 93 recommendations, 81 amendments and proposed 97 corrections and improvements to the bill. One of the key recommendations is to expand the scope of the law to cover all data instead of just personal data – a significant departure from its origins in Puttaswamy. The government says that in the face of such a radical overhaul, it is better to introduce a new bill.
In addition, the government also said it had received several concerns from the tech industry — specifically Indian startups — about the data localization provisions in the bill.
What did the data localization bill say?
Personal data was defined in the bill as “any characteristic, property, feature or any other characteristic information” that can be used to identify a person. The Bill also identified a sub-category of sensitive personal data such as details of a person’s finances, health, sexual orientation and practices, caste, political and religious beliefs and biometric and genetic data. It also created a category of critical personal data, which in future was “personal data as may be notified by the Central Government”.
The bill said that while sensitive personal data can be transferred abroad for processing, a copy must be kept in India. Critical personal data can only be stored and processed in India. It also sets out the conditions under which sensitive data, such as government contracts, can be sent abroad.
Several countries have such provisions to locate, given the strategic and commercial implications of the data, “new oil”. However, large and small businesses, international and domestic, have problems with such localization.
What were the tech industry’s concerns?
Indian start-ups have raised the issue that the infrastructure required to meet localization requirements will be a huge drain on their resources. Start-ups also often depend on international companies for services such as customer management, analytics and marketing, which will require them to send data about their customers abroad. Requiring data localization would not only limit their options for choosing such services, but also burden them with compliance processes.
The compliance requirements also have implications for larger US-based technology companies, with reports suggesting umbrella organizations of US businesses have lobbied against the bill.
One of the JPC’s recommendations would also be of particular concern to social media companies as it sought to move them from the category of online intermediaries to content publishers, making them accountable for the posts they host.