Panel proposes 'India only' policy for critical personal data
New Delhi: All critical personal data on people in India should be processed within the country, a government panel said on Friday.
The recommendation comes at a time when data breaches are becoming common globally and there is heightened scrutiny by governments on how companies handle user data.
The panel, headed by former Supreme Court judge B.N. Srikrishna, also presented a draft bill that will go before parliament designed to enhance data protection. The legislation could affect how global companies store data in India.
The panel said “personal data determined to be critical” will be subject to the requirement of being processed “only in India”, according to its 213-page report released on Friday.
“The central government should determine categories of sensitive personal data which are critical to the nation,” the panel said, adding that there will be a prohibition against cross-border transfer of such data.
The panel recommendations were keenly awaited by US trade groups and global technology companies, who fear any stringent data localization directive by the government could alter their business models and raise costs.
Nehaa Chaudhari, a technology policy expert at Indian law firm TRA, said the recommendation was strong as it showed the government wanted to see some kind of data localized.
“They seem to be conscious of the threat of data breaches,” Chaudhari said. “The devil here is the detail, we will need to know what is critical personal data.”
US trade groups, representing companies such as Visa, Mastercard and American Express, have been protesting against an Indian central bank directive which said in April that all payments data should be stored locally within six months.
Asked about how financial data should be stored, Srikrishna said at a press briefing that the Reserve Bank had “jumped the gun”, adding that a new data protection law will “override” all other notifications and regulations on data storage.
The government panel also recommended setting up a “data protection authority”, an agency which would look at enforcement and implementation of the new data protection law.
India has in recent months become increasingly conscious of the risk of data breaches. The government on Thursday said it had asked its federal police to probe misuse of Facebook user data by Cambridge Analytica, a political consultancy which was earlier this year accused of improperly using data of 87 million Facebook users.
“It is suspected that Cambridge Analytica may have been involved in illegally obtaining data of Indians which could be misused,” the IT minister said.