Data Protection Mechanism In India

First of all, the Information Technology Act, 2000 (the Act) and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules (Privacy Rules), 2011. The Privacy Rules distinguishes both ‘personal information’ and ‘sensitive personal information’ and included ‘financial information’ such as bank account/credit or debit card or other payment instrument details as ‘sensitive personal information’. Later on, a ‘Press Note’ was issued on August 24, 2011, by the Ministry of Communications and Information of India to clarify certain provisions of the Data Privacy Rules, such as-

• The obligations under the Data Privacy Rules (i.e., relating to the manner in which companies can collect and disclose “sensitive personal data or information”) apply only to Indian companies. Foreign companies are exempted; and
• “Providers of Information” as referred to in the Data Privacy Rules are limited only to natural persons.

Secondly, there are also some sectoral regulations that address protection of data collected by them in their respective sectors, such as Reserve Bank of India, Insurance Regulatory and Development Authority of India, Securities and Exchange Board of India, etc.

Provision of Data Localization for all PSPs (governed by RBI)

India’s central bank, the Reserve Bank of India (RBI) has made it mandatory from October 15, 2018, for all payment system providers and their service providers, intermediaries, third party vendors and other entities in the payment ecosystem to ensure that all data relating to payment systems operated by them are stored in a system only in India. Interestingly, by virtue of this regulation, RBI is seeking storage of all payment system data, which includes the entire payment processing cycle from request to final payout.

Personal Data Protection Bill 2019:

To formulate a comprehensive data protection framework in India, the Personal Data Protection Bill (Bill) was introduced on December 11, 2019 which contained the provision of “data localization” and included “non-personal data” as personal data. However, considering recommendations made by a Joint Committee of Parliament and major pushback from a range of stakeholders including big tech companies such as Facebook and Google, and privacy and civil society activists, the Bill was withdrawn by the Govt. on August 3, 2021. In particular,-

• the tech companies, i.e. Meta, Google and Amazon, etc, had questioned the provision of data localization that would be detrimental to their businesses; and
• certain civil society groups were against the surveillance-enabling provisions that allowed the central government and its agencies blanket exemptions from adhering to any and all provisions of the Bill;
• Start-ups believe that the Bill is too compliance-intensive;
• New Delhi-based privacy advocacy group Internet Freedom Foundation said the bill “provides large exemptions to government departments, prioritises the interests of big corporations and does not adequately respect your fundamental right to privacy.”
• 81 amendments were proposed in the Bill and 12 recommendations were made towards a comprehensive legal framework on the digital ecosystem. The JPC has recommended transitional provisions so that relevant entities have sufficient time to ensure compliance and to regulatory sandboxes, the promotion of startups, etc.
• Asia Internet Coalition (AIC) placed its concern (Report) over the Bill to the Joint Parliamentary Committee’s that lays great emphasis on the promotion of ease of doing business and the development of India’s digital economy.

Withdrawal of the Bill

On August 3, 2021, The Government withdrew the Bill stating that considering the report of the JCP and given the large number of amendments that have been proposed, it is proposed to withdraw ‘The Personal Data Protection Bill, 2019’ and a revised Bill could be tabled in Parliament in the Winter Session.

From the above discussion it is clear that since the Bill has been withdrawn, the provision of data localization of the Bill is not in force. Besides, through the Press Note, from the obligations under the Data Privacy Rules (i.e., relating to the manner in which companies can collect and disclose “sensitive personal data or information”), foreign companies have been exempted and are limited only to natural persons. And the direction issued by RBI is limited to the financial institutions regulated by RBI only. Hence, the tech companies, i.e. Meta, Google and Amazon, etc, are not bound to follow the restriction of data localization. However, every corporate entity collecting sensitive personal information must appoint a Grievance Officer to address complaints relating to the processing of such information.