Full text of the proposed bill can be accessed here.
Data Localization
This is one of the more stringent requirements of the Bill, and distinguishes it from data protection laws in other jurisdictions.
The Bill requires certain categories of personal data, which the central government may notify as critical personal data, to be processed only through servers or data centers located within India (See Section 40).
However, this obligation is not absolute, and allows for transfer of certain personal data under limited circumstances, as discussed below.
Personal data, except sensitive personal data, may be transferred outside India under the following conditions:
- the transfer is made subject to standard contractual clauses or intra-group schemes that have been approved by the Authority;
- Central Government has prescribed that transfers to a particular country or to its sector, or to a particular international organisation is permissible; or
- The Authority approves a transfer as permissible due to a situation of necessity (See Section 41).
Sensitive personal data notified by the Central Government may be transferred outside the territory of India:
- To an entity engaged in the provision of health services or emergency services where such transfer is strictly necessary for prompt action, as defined under the Bill; and
To a particular country or to its sector, or to a particular international organisation, specified by Central Government and Central Government is satisfied that such transfer is necessary for data fiduciary or for data principal and such transfer does not hamper the enforcement of this Bill (See Section 41).
Exemptions
All the obligations discussed above are not imposed absolutely and unconditionally on every entity which collects and processes personal data. The Bill provides for a large number of entities and circumstances which significantly reduce the burden on the data fiduciary, and exempts the application of all provisions of the Bill except for Sections 4 and 31.
Section 4 imposes a general obligation of fair and reasonable processing of personal data, while Section 31 requires the data fiduciary to maintain certain security safeguards. However, since neither of these provisions impose specific obligations or any penalties for failure to comply, the result is that the exemptions are quite broad.
The Bill lists the following criteria in which the Bill (except for Sections 4 and 31) will not be applicable:
- Processing of personal data in interest of state security, as permitted by Law (See Section 42);
- Processing of personal data for prevention or investigation of any offence, as permitted by Law (See Section 43);
- Disclosure of personal data for legal processes such as defending charges, enforcing rights, taking legal advice, exercise of judicial function, etc (See Section 44);
- Processing of personal data by a natural person for personal and domestic use, not involving any public disclosure or commercial activity (in this case, provisions of Section 31 are also exempted) (See Section 46);
- Processing of personal data for journalistic purposes (See Section 47).
Small entities with turnover of less than Rs. 20 lakhs, collecting data of 100 or less principals, and not disclosing the data to third parties, are exempt from certain provisions of the Bill (See Section 48). In addition to this, the Bill permits the Authority to make certain exceptions for research purposes (See Section 45).
This post is authored by Arjun Kansal and Ashwini Arun, Associates, BananaIP Counsels.