Taking cues from the RBI's data localisation efforts - despite the massive push against it by foreign companies - the Ministry of Electronics and IT (MeitY) is reportedly unlikely to allow mirroring of critical personal data. A top government official told The Economic Times that the Centre is likely to leave it to the sectoral regulators and relevant departments to define what constitutes sensitive personal information.
"For instance, health ministry can say that gene sequence is critical, while RBI may reiterate that payments data is critical," the source said, adding, "They can mandate it later by notifying rules under the data protection Act." Such critical data will have to be necessarily stored only in India.
The official added that now there is no question of allowing mirroring of critical personal data since the apex bank has already set a precedent. The buzz is that 80% of the payments players have already shifted to storing payments data generated in India within its borders in line with the RBI's April circular. So the move being mulled will ensure that the regulator does not fall foul of the overarching law once it comes into force.
For the sectors that do not boast a well-defined regulator, the concerned ministry or the IT ministry will set the definition for critical data after consultations. "Lack of a sectoral regulator is not a big hurdle, since every data type comes under some ministry or the other, be it data related to herbs or wildlife or ecommerce, and the ministries concerned can take a call on it," the source added. The Centre reportedly is also of the opinion that copies of "trivial kinds of personal data" don't have to be stored in India.
While domestic e-payments companies such as Paytm and Flipkart-backed PhonePe have previously come out in open support of the move towards data localisation, going so far as to accuse the global players of trying to find ways to avoid taxes and scrutiny, the multinational firms have been unsuccessfully lobbying for leniency.
The source added that so far MeitY has received over 600 submissions on the draft data protection bill submitted by the Justice BN Srikrishna committee, including from the US government. The bill is likely to be presented in Parliament during the winter session (November-December).
Copyright©2021 Living Media India Limited. For reprint rights: Syndications Today