i

Issues related to data

localization
Context: Personal Data Protection (PDP) Bill, 2019 was an important bill among many that
were introduced in the winter session of the Lok Sabha. The Bill was referred to a joint
parliamentary committee.

ˇ
Personal data is data that pertains to characteristics, traits or attributes of identity,
which can be used to identify an individual. The Bill categorizes certain personal data
as sensitive personal data. This includes financial data, biometric data, caste, religious
or political beliefs, or any other category of data specified by the government, in
consultation with the Authority and the concerned sectoral regulator.

Key features of the bill:

ˇ
The Bill seeks to provide for the protection of personal data of individuals and
establishes a Data Protection Authority for the same.

Applicability: The Billgoverns the processing of personal data by:

Government, companies incorporated in India, and foreign companies dealing with

personal data of individuals in India.

Obligations of data fiduciary: A data fiduciary is an entity or individual who decides the
means and purpose of processing personal data. Such processing will be subject to a
certain purpose, collection and storage limitations. For instance, personal data can be
processed only for specific, clear and lawful purposes.

Rights of the individual: The Bill sets out certain rights of the individual these include the
right to:

Obtain confirmation from the fiduciary on whether their personal data has been
processed,
 Seek correction of inaccurate, incomplete, or out-of-date personal data,

Have personal data transferred to any other data fiduciary in certain circumstances, and

Restrict continuing disclosure of their personal data by a fiduciary, if it is no longer

necessary or consent is withdrawn.

Grounds for processing personal data: The Billallows the processing of data by fiduciaries
only if consent is provided by the individual. However, in certain circumstances, personal
data can be processed without consent. These include:

If required by the State for providing benefits to the individual,

legal proceedings and to respond to a medical emergency.

Data Protection Authority: The Billsets up a Data Protection Authority which may:

take steps to protect the interests of individuals,

prevent misuse of personal data, and

ensure compliance with the Bill.

ˇ
Authority will consist of a chairperson and six members , with at least 10 years expertise
in the field of data protection and information technology. Orders of the Authority can be
appealed to an Appellate Tribunal. Appeals from the Tribunal will go to the Supreme
Court.

Benefits of data localization:

The bill seeks to give individuals greater control over how their personal data is
collected, stored and used.

Once passed, the law promises a huge improvement on current Indian privacy law, which
is both inadequate and improperly enforced.
Criticism of the bill:

ˇ
The limited checks imposed on state surveillance , and regarding various deficiencies in
the structures and processes of the proposed Data Protection Authority.

It enables the transfer of personal data outside India , with the sub-category of sensitive
personal data have to be mirrored in the country i.e. a copy will have to be kept in the
country.

ˇ
Data processing/collecting entities will however be barred from transferring critical
personal data outside the country.

These provisions have been changed from the earlier version of the draft Bill, released
by the Justice Srikrishna Committee in 2018 . The 2018 draft imposed more stringent
measures that required both personal and sensitive personal data to be mirrored in the
country.

ˇ
Liberalized requirements will limit costs to business and ensure users have greater
flexibility in choosing where to store their data.

ˇ
The changes in the 2019 draft reflect a more proportionate approach to the issue as they
implement a system for cross-border data transfer, based on the sensitivity/vulnerability
of the data.

It is similar to the Supreme Courts directions in the 2017 Puttaswamy case, where the
Court had made it clear that interference in the fundamental right to privacy would only
be permissible if inter alia deemed necessary and proportionate.

Purpose of localization:

There are broadly three sets of arguments advanced in favor of imposing:

ˇ
Stringent data localization norms: Sovereignty and government functions; referring to
the need to recognize Indian data as a resource to be used to further national interest
(economically and strategically), and to enable enforcement of Indian law and state
functions.
ˇ
The second claim is that economic benefits will accrue to the local industry in terms of
creating local infrastructure, employment, and contributions to the AI ecosystem.

ˇ
Protection of civil liberties: The argument is that local hosting of data will enhance its
privacy and security by ensuring Indian law applies to the data and users can access
local remedies.

Way forward:

ˇ
The security of data is determined more by the technical measures , skills, cybersecurity
protocols, etc. put in place rather than its mere location. Overall, the degree of protection
afforded to data will depend on the effectiveness of the applicable data protection
regime.

ˇ
Localization may make it easier for domestic surveillance over citizens . However, it may
also enable the better exercise of privacy rights by Indian citizens against any form of
unauthorized access to data, including by foreign intelligence.

ˇ
Though the extraterritorial application of the PDP Bill also ensures that the data
protection obligations under the law continue to exist even if the data is transferred
outside the country.

Source: The Hindu