The Centre could drop the contentious data localisation norms from the new data protection Bill and add these rules to the revamped version of the broader Information Technology Act, which the Ministry of Electronics and IT (MeitY) is working on, The Indian Express has learnt.
The localisation norms, criticised by Big Tech companies as well as start-ups for being too “compliance intensive”, could be relaxed by allowing cross-border data flows to “trusted geographies”, it is learnt.
A senior government official said that data localisation could find a place in the upcoming Digital India Bill — the proposed successor to the Information Technology Act, 2000.
“More than privacy or data protection, the idea of localisation of data is about access in the event of a crime. Law-enforcement agencies investigating cases often need quick access to data related to individuals. So while as an idea, data localisation is important, the Ministry is of the opinion that it belongs in the larger IT Act replacement, than in the data protection Bill,” the official said.
The official added that the view in the government is that data should be stored in a region that is “trusted” by the Indian government and should be accessible in the event of a crime.
The government is targeting to finalise the Bill by the Winter Session of Parliament, with some officials also saying it could get pushed to the Budget session next year.
If finalised in this version, this would be a significant departure from the government’s long-held stance on data localisation, which has been a key part of multiple iterations of the Data Protection Bill – the initial one formulated by the Justice BN Srikrishna Committee in 2018 and the one finally recommended by the Joint Committee of Parliament in 2021.
Earlier this month, the government withdrew the Bill from Parliament, saying that it would come up with a “comprehensive legal framework” for the online ecosystem.
The withdrawal came despite IT Minister Ashwini Vaishnaw saying in February 2022 that he hoped to get Parliament’s nod on the Bill by the Monsoon Session.
The localisation requirements in the old data protection Bill were strongly opposed by industry bodies – that represent top tech firms like Facebook, Google and Amazon – flagging that the norms could have “negative effects on the ability of companies to do business in India”.
In a 2018 letter to then IT Minister Ravi Shankar Prasad, industry groupings like the US-India Business Council (USIBC) and Digital Europe had requested the government to remove “forced localisation requirements” from the draft Bill.
Under the withdrawn data protection Bill, companies were required to store a copy of certain sensitive personal data – like health and financial data – within India and the export of undefined “critical” personal data from the country was prohibited.
Earlier this month, The Indian Express had reported that after receiving several complaints by start-ups, the government was looking at diluting data localisation norms.
“It would allow start-ups to use tools, software and servers of foreign companies, which would have been a challenge under the localisation requirements in the withdrawn Bill,” a start-up founder said.
Since the classification of data under the withdrawn Bill into personal, sensitive personal, and critical was largely determined by what type of data can and cannot be taken outside of the country, the government is said to be considering using that classification for awarding damages to people whose personal data may have been compromised by an entity.
Sectorally, the Reserve Bank of India currently has among the most stringent local storage norms for its regulated entities.
In a directive issued in 2018, the central bank said its regulated entities must store their entire payments data, including end-to-end transaction details, in India. While the RBI has allowed payments to be processed overseas, it has mandated that the data will have to be deleted from foreign services post processing and brought back to India.