The list of ‘critical’ data that has to be processed and stored only in India will be updated from time to time based on new technology developments, officials said.
The first critical data list will be notified by the yet-to-be-formed Data Protection Authority after thorough consultations once the Personal Data Protection Bill is passed in Parliament, they said.
“It will be a flexible list, an evolving list,” a senior government official said. “It will be done through a consultative process by taking inputs from all the ministries.”
Experts, however, said an evolving list can pose a challenge to companies that may have to change their data storage sites every time the list is updated.
“An evolving list will create uncertainty for companies if they have to time and again change their data storage architecture and reinvent the wheel on data classification,” said Nikhil Narendran, partner at law firm Trilegal. “It is good to lay down upfront the principles based on which data is considered to be critical.”
Companies are barred from storing critical data outside Indian territory, unless exempted by the authority and the central government. Once the critical data list comes out, organisations will have to perform an assessment of their data storage practices and maintain servers and data centres in India, if needed.
“To continue India’s data privacy journey at the envisaged pace, it would be important for the bill to have concrete clarity around definitions specifically for critical data,” said Vidur Gupta, partner — data privacy at EY India.
An email sent to the electronics and information technology ministry did not elicit a response as of press time on Sunday.
Top global technology firms including Google, Facebook and Amazon are lobbying against data localisation, citing increased costs and privacy concerns.
The issue also raised trade tensions between India and the US. Indian technology companies such as Reliance Jio and Paytm have supported data localisation as necessary for national security.―India Finance News