Data Localization & The New India Data Protection Regime
Introduction & Background
The opponents of the new Personal Data Protection Bill, 2019 (hereinafter referred to as the “Bill”) see it as an almost Orwellian attempt to subvert the privacy of citizens through the means of technology and digital data. The Government has been given wide powers when it comes to the collection as well as retrieval of data, something especially troublesome in the context of many governments globally indulging in mass surveillance of their citizens, and the recent concerns on privacy because Aadhaar, as well as the National Population Register(“NPR”) and National Registry of Citizens (“NRC”).
Over the last decade we have seen how destructive, the use of personal data can be. We have seen authoritative regimes like China, Russia etc. use it to track and persecute political opponents as well controversial entities like Cambridge Analytica using private data in Election analytics potentially swinging the vote in favour of their clients. Over and above this Russia and China especially have gathered infamy for using data of the citizens of other countries for their gain, especially when we see the number of digital applications originating out of China and the consequent amount of user data available to these entities it becomes clear why Data localization is serious demand of many people.
Whilst these are the wider constructional and human rights perspectives of the new Bill, the bill is set to have a massive impact on digital media and e-commerce entities. One interesting part of this is the aspect of data localization.
Data localization has been one of the most controversial aspects of the Bill. The proponents of the Bill would describe the provisions relating to data localization as a good middle ground between the interests of the Data Principle i.e. the consumer to whom the data relates, and those of the E-Commerce entities as well as other corporate interests.
Reserve Bank of India Notification
On 6th April, 2018 the Reserve Bank of India (“RBI”) vide notification titled Storage of Payment Data mandated storage of payments related data in India, thus setting the tone for the Indian data localization regime. This requirement does not fall on E-commerce entities but it does fall on System providers who provide Payment Systems as defined under Payment & Settlement Systems Act, 2007. The notification required that the entire data relating to payment systems operated by them is stored in a system in India and that the entire data relating to payment systems operated by them are stored in a system only in India. This data is required to include the full end-to-end transaction details. For the foreign leg of the transaction, if any, the data may also be stored in a foreign country, if required.
Legislative Background to the Bill
While the 2018 Justice B.N. Srikrishna Committee suggested stringent data localization norms much in the tune of the RBI Notification providing all personal data to be processed within the borders of India and the same was reflected in the 2018 draft of the Bill, the 2019 Bill provides certain exemptions.
The Bill & Data Localization
Section 33 of the 2019 bill provides a distinction within “Personal Data”, primarily for the purposes of the 2019 Bill. There are three kinds of data “Sensitive Personal Data”, “Critical Personal Data” and the remaining other kinds of personal data.
Sensitive Personal Data
Sensitive Personal Data is defined as such personal data which is related to financial data, health data, official identifier data, sex life related data, sexual orientation, biometric data, genetic data, transgender status of the data principle, intersex status, caste or tribe, religious or political belief or affiliation or any other personal data under section 15 I.e. any Personal data that the government in consultation with the authority under the bill and the sectoral regulators concerned may notify as Sensitive Personal Data. 
Sensitive Personal Data may be transferred outside the country subject to the provisions of section 34, however, it must be stored in India. The Bill further provides the conditions under which Sensitive Personal Data may be transferred outside the country. It states that the consent of the Data Principle for such transfer is explicitly required. Furthermore, the transfer of such Sensitive Personal Data must be made pursuant to a contract or intra-group scheme that is approved by the Authority under the Bill(hereinafter referred to as “Authority”), also the requirements for such intragroup scheme to be approved are that it must provide effective protection of the rights of the Data Principle as given in the Bill and that it puts liability on the data fiduciary for harm caused due to any non-compliance.
The central government can also allow transfer off Sensitive Personal Data after consultation with the Authority provided that such personal data is given an adequate level of protection and regard is given to the applicable laws. The Authority under the bill itself is also empowered to allow the transfer of any sensitive personal data. Regardless of how such transfer is made, it must be notified to the authority under Bill. 
Critical Personal Data
Critical Personal Data has been described as such data which the central government may notify. This clearly shows that the government is keeping the ball in its own court and the real extent of the compliance concerning data localization that e-commerce platforms will have to face will only be realized once the allied rules & regulations under the Bill come to light.
Even though Section 33 provides that Critical Personal Data cannot be transferred abroad, section 34 provides certain conditions where Critical Personal Data can be transferred outside the country. It may be transferred to a person or entity engaged in the provision of health services or emergency services where any action is needed under section 12 of the Bill which provides for grounds for processing personal data without consent or where the central government deems it appropriate.  However, this isn’t applicable in the case of e-commerce entities. Regardless of how such transfer is made, it must be notified to the authority under Bill. 
The Bill provides for exceptions for certain Sensitive Personal Data to be transferred abroad only under Section 34 as described above, whilst Critical Personal Data will in most cases not be allowed to be transferred outside India, however, looking at the definitions of Sensitive Personal Data and Critical Personal Data it is very unclear how the compliance to data localization norms will look like.
However, once the Bill is enacted into law, this much is clear that Sensitive Personal Data, is that which may, reveal, be related to, or constitute financial data, health data, official identifiers like Aadhar and PAN, sex life related information, sexual orientation, biometric data, genetic data, transgender status, intersex status, caste or tribe, religious or political belief or affiliation and will have to be stored in India. A silver lining is that any data which doesn’t fall under the above may be stored abroad. Recently, Google has submitted before the parliamentary panel on data protection against data localization which has not found favour with the members of the panel (Source IndianExpress.com). It remains to be seen if the panel decides to dilute the data localization requirements or not.
By Abhay Pratap Singh and Aaryaan Sadanand
 in the 2019 Bill under Section 3(36)
 Section 33(2)
 Section 34(1)
 Section 34(1)a
 Section 34(1)b
 Section 34(1)c
 Section 34(3)
 Section 33(2)
 Section 34(2)
 Section 34(3)