Data Localisation: MeitY Says Sectoral Regulators Will Define ‘Critical Data’

With the Reserve Bank of India (RBI) taking a tough stand on the data localisation mandate for payment companies, the Ministry of Electronics and IT (MeitY) has taken further steps to define ‘critical data’ in order to avoid any ambiguities once the final guidelines are rolled out.

According to an ET report, MeitY has reportedly asked sectoral regulators and relevant departments to define what constitutes sensitive personal information. Such data will have to be necessarily stored only in India. For instance, the health ministry can say that gene sequence is critical, while the RBI may reiterate that payments data is critical.

“This will ensure that regulators such as the RBI, which has already mandated that payments data should be stored exclusively in the country, do not fall foul of the overarching law once it comes into force. Also, the sectoral regulators can mandate it later by notifying rules under the data protection Act,” the report added.

For sectors such as wildlife or herbs or ecommerce, which do not have a well-defined regulator, the concerned ministry or the IT ministry will define what is critical data after consultations.

MeitY has so far received over 600 submissions on the draft Data Protection Bill — submitted by the Justice BN Srikrishna committee in July — including that of the US government.

The Centre believes that personal data that is not critical is not required to be stored in India. The Srikrishna committee had suggested that one copy of all personal data should be stored locally and that critical data should be stored only in India.

Local tech-enabled companies such as PhonePe, Paytm, InMobi, Ola, and Freshworks, among others, have been advocating for strict data localisation laws for the past few months.

However, their foreign counterparts, including Mastercard, Visa, and PayPal have been opposing the mandate citing reasons such as increased infrastructure cost and have further asked for an extended deadline to implement data localisation.

Amazon India, which also operates payments wallet Amazon Pay, has been looking for more clarity on the data localisation directive. While Google confirmed that it would store its data locally, the company also iterated that it was in favour of cross-border data flow as it makes economic sense.

Also, on October 12, two US senators had called on PM Narendra Modi to soften India’s stance on data localisation, warning that the measure represents “key trade barriers” between the two nations, reported Reuters.

However, the RBI had set October 15 as the final deadline for companies to comply with the data localisation rules and refused to extend it further.

India expects to finalise the draft and introduce the Personal Data Protection Bill in Parliament during the winter session.

Note: We at Inc42 take our ethics very seriously. More information about it can be found here.