You are here: Home » Economy & Policy » News
Business Standard

Only 'critical' data to be stored in India, no curbs on personal info: Govt

The proposal is significant as it marks a departure from the original draft of the Personal Data Protection Bill

Press Trust of India  |  New Delhi 

The data should be deleted from the systems abroad and brought back to India not later than one business day or 24 hours from the payment processing, whichever is earlier, the RBI said
Representative Image

The is likely to propose that personal information which neither qualifies as 'critical' nor 'sensitive' should be allowed to be stored and processed anywhere, while data classified as 'critical' should be kept only in India under the draft Personal

The proposal is significant as it marks a departure from the original draft of the Personal Data Protection Bill, which had recommended that copy of all personal data should be stored in the country. The tweaking of this provision, if accepted, will spell a relief for companies.

The draft submitted by Justice B N Srikrishna committee last year had also suggested that personal data that is of 'critical' nature should mandatorily be stored only in India, a stance that will be backed by the

According to a government official, the is, however, of the view that not all personal data needs to be stored in India, and only critical and sensitive data should be kept here.

While 'critical' personal data should be mandatorily stored only in India, 'sensitive' personal information should be stored and processed in India but permitted to be transferred outside the country, the official pointed out.

The IT ministry feels that there are adequate safeguards in the proposed Bill and even if a copy of all personal data is not stored in India, such information will anyway be governed by the stringent provisions of the data protection law, including penalty in event of a breach.

After the Justice Srikrishna panel submitted its draft version of the Bill, the IT Ministry had sought public feedback on the provisions, and fine-tune the proposed document. The draft legislation will now be placed before the Cabinet, after which it will be introduced in Parliament.

The official said the change in the clause pertaining to all kinds of personal data was primarily driven by industry feedback - both Indian and global companies - which argued that maintaining one copy of all information may become cumbersome, expensive and increase compliance burden on firms.

"Most important change is that the original draft said that a copy of all personal data should be stored in India...ultimately, the Cabinet will take a call on the matter...IT Ministry is proposing that with regard to personal data only such data which is to be categorised as sensitive or critical needs to be stored in India," the official told PTI.

Justice Srikrishna panel - which submitted its report on data protection as well as the draft Personal in July 2018 - had recommended that "every data fiduciary shall ensure the storage, on a server or data centre located in India, of at least one serving copy of personal data to which this Act applies".

The original draft had also stated that central government should notify categories of personal data as 'critical' that shall only be processed in a server or data centre located in India. The committee left it to the government to define critical personal data.

The IT ministry is learnt to be of the view that Data Protection Authority of India - envisaged in the Bill - in consultation with the sector regulators and industry should recommend to the government what kind of personal information qualifies as critical data.

The original version defines 'Sensitive Personal Data' as personal information related to passwords, financial data, health data, sex life, sexual orientation, biometric data, genetic data, transgender status, and caste or tribe, religious or political affiliation; or other category of data specified by the authority.

First Published: Tue, July 23 2019. 15:40 IST