Personal data: All you need to know about data localisation rules in India

Reliance Jio, Bharti Airtel and Paytm are reportedly opposing the Centre’s move to allow the transfer of personal data to some foreign “trusted” countries and want the data of Indians to be stored within the country only. According to a report by the Economic Times (ET), this is opposite to the stance taken by the Internet and Mobile Association of India (IAMAI).

The rules around data localisation in India are not clearly defined yet. Still, the introduction of the draft of the Digital Personal Data Protection Bill, 2022, in November last year brought the topic back to light.

What is data localisation?

Data localisation is storing the data, critical and non-critical, within the boundaries of a country. It gives the country control over its data and helps formulate clearer policies around privacy and data security.

According to experts, localisation also protects the country from foreign surveillance. It also results in greater accountability for firms like Google, Meta etc.

Data localisation may also reduce a country’s dependence on Mutual Legal Assistance Treaties (MLATs). These are signed to facilitate the exchange of information between two countries. India has MLATs in 45 countries.

However, it also poses certain threats. The company which stores the data locally may refuse to share the encryption keys with the government. Also, it may lead to significant additional investments by global countries in India.

Data localisation norms in India

Currently, data localisation norms in India come under different acts. These include the Companies Act, 2013 and IRDAI Regulation, 2015.

Under Section 94 of the Companies Act 2013, organisations are required to store their financial information at the company’s registered office. This includes data about equity shareholders, preference shareholders, debenture holders and annual returns filed by the company.

Also, according to the Reserve Bank of India’s (RBI) Payment and Settlement Systems Act 2007, the covered companies must store end-to-end transaction details within India. This applies to credit cards, debit cards, smart cards and money transfers. However, it also allows the organisations to share a copy of the data outside India if it is necessary to complete the payment.

“…statutes like RBI guidelines and Payment and Settlement Systems Act mandate banks operating in India to store the entire payment system data/payment data only in India. RBI also suggested that there is no bar on processing payment transactions outside India if so desired by the Payment System Operators. In case this processing is done abroad, the data should be deleted from the systems abroad and brought back to India within one business day or 24 hours from payment processing, whichever is earlier. A few other RBI guidelines also mandate restriction on storage of actual card data by payment system providers and payment system participants,” said Akshay Garkel, partner and cyber leader at Grant Thornton Bharat.

Under the IRDAI (Maintenance of Insurance Records) Regulation, 2015, organisations need to store digital data related to policies and claims made in India inside the country’s border.

However, many changes are expected once the data protection bill is passed in the legislature. The Personal Data Protection Bill 2019 was introduced in Lok Sabha by the government on December 11, 2019, but was withdrawn in 2022.

Later, in November 2022, a new draft, Digital Personal Data Protection Bill 2022, was released for public consultation.

Digital Personal Data Protection Bill, 2022

Under the bill, the Centre said it would impose “heavy penalties” on the parties for non-compliance.

The bill proposed setting up a Data Protection Board of India to “determine non-compliance with provisions of this Act and impose a penalty under the provisions of this Act”. In case of a personal data breach, it can “direct the Data Fiduciary to adopt any urgent measures to remedy such personal data breach or mitigate any harm caused to Data Principals”.

Data Fiduciary is a person or organisation that uses the data, and Data Principal is the person or organisation to whom the data belongs.

The bill said, “On or before requesting a Data Principal for her consent, a Data Fiduciary shall give to the Data Principal an itemised notice in a clear and plain language containing a description of personal data sought to be collected by the Data Fiduciary and the purpose of the processing of such personal data”.

The bill also proposed that the customer must have the “right to correction and erasure of her data, in accordance with the applicable laws and in such manner as may be prescribed”. They will also have a “means of registering a grievance”.

However, the major point of contention was the Centre might decide to share the personal data with foreign “trusted” countries in certain cases. The industry is divided on that.

“The latest privacy bill strives to achieve a balance by allowing cross-border data flows to ‘preferred geographies’ (which doesn’t have any explanation in the bill) as notified by the Central Government, however, the certainty of nations continuing to remain a preferred geography in the near or distant future will always remain unpredictable. Therefore, organisations may have to rely on more frequent cross border citizen data transfer impact assessment exercise,” Garkel said.

“…the new bill is under deliberation as we speak but could very well become a springboard for the country’s digital engine to gallop with the necessary guardrails in protecting personal and sensitive citizen data,” he added.

Data protection and localisation elsewhere

Out of 194 countries, an estimated 137 have put in place legislation to secure the protection of data and privacy.