On August 4th, 2022, the Indian Government withdrew the much debated Personal Data Protection Bill, 2019, after deliberating over it for more than two years and receiving comments from various experts and stakeholders across the country. Several recommendations were issued by the Joint Parliamentary Committee on the provisions of the Bill as well. Commentators have highlighted a number of reasons that could explain the withdrawal of the Bill. In this post, we explore the Bill’s approach to data localization, focusing specifically on the term “critical personal data.” It will be interesting to see whether and how a subsequent bill addresses this important issue.
One of the criticisms of the Bill was that it did not expressly define the term “critical personal data” and instead left definition to the discretion of the Central Government. As provided in the Explanation to Clause 33(2): “the expression ‘critical personal data’ means such personal data as may be notified by the Central Government to be the critical personal data.” This definition was important because of the Bill’s data localization requirement for critical personal data. According to Clause 33(2) of the Bill, “[t]he critical personal data shall only be processed in India” (emphasis added). Clause 34(2) provided very limited exceptions to this localization requirement, allowing for transfers outside India “only where such transfer is to a person or entity engaged in providing health services or emergency services; or to a country or any entity or class of entity which the Central Government has deemed to be permissible and where such transfer, in the opinion of the Central Government, does not prejudicially affect the security and strategic interest of India”. The Bill did not give any more information about what could be categorized as critical personal data, leaving broad discretion to the Central Government to define the term.
By contrast, the Bill defined “sensitive personal data” in significant detail. According to Clause 3(36):
“sensitive personal data” means such personal data, which may, reveal, be related to, or constitute—(i) financial data; (ii) health data; (iii) official identifier; (iv) sex life; (v) sexual orientation; (vi) biometric data; (vii) genetic data; (viii) transgender status; (ix) intersex status; (x) caste or tribe; (xi) religious or political belief or affiliation; or (xii) any other data categorised as sensitive personal data under section 15.”
Unlike critical personal data, the Bill allowed entities to transfer sensitive personal data outside India subject to specific restrictions and safeguards. Given the broad range of information included in the definition of sensitive personal data, and the carefully delineated provisions governing transfer of such data, it was unclear what information the Central Government might, in its discretion, choose to categorize as “critical” and on which it would impose a strict localization requirement.
Justice B.N. Srikrishna Committee’s report, which was the first Committee to provide comments on the legislation, suggested that “critical personal data” could comprise a wider range of information than just personal data. That report discusses the importance of data localization for India, stating (on page 91) (emphasis added):
Critical data, in this context will include all kinds of data necessary for the wheels of the economy and the nation-state to keep turning. It is thus a wider category than the determination of data in respect of which foreign surveillance needs to be prevented and may include health, government services, infrastructure data and system control software which includes inter alia transport, waterways and all controlled and sensor mapped infrastructure. This may even extend beyond the scope of personal data, regarding which an appropriate call may have to be taken by the Government of India. The objective will be served if even a single live, serving copy of such critical personal data is stored in India. However, the processing of such data exclusively within India may be necessary for other benefits . . .
It is pertinent to note that the majority in the Joint Parliamentary Committee Report did not raise any objections to the undefined term “critical personal data” (at least one dissent did recommend that the term be defined in the legislation). On the contrary, the report appeared to support data localization policy generally. For example, it stated that “[d]ata is core to the future of our economy and is unlike any other resource” (para. 1.9.1) and explained that strategic objectives include “timely access … by law enforcement agencies,” “provid[ing] a great boost to the data economy in the domestic market with the emergence of the data centers and other associated industries,” and “[b]argaining power” (para. 1.9.4).
These expansive statements about the benefits of data localization raised concerns. For example, the Internet Freedom Foundation published a piece that was critical of Bill’s failure to define critical personal data. The Foundation argued that if the government defined the term too expansively, “[i]nnovation will be stifled as [entities who depend on foreign cloud service providers] would be deprived of the global technological developments.” In addition, the Foundation stated that with data localization, “law enforcement agencies in the country will easily obtain greater access to data… However, in the absence of strong surveillance reforms in the country, storing sensitive and critical personal data in India only raises concerns of unbridled intrusion into privacy by the State.” In this regard, it is important to note that Clause 35 of the Bill also came under criticism; under that clause, the Central Government could, when “expedient,” exempt government agencies from “all or any of the provisions” of the Bill for reasons such as “sovereignty and integrity of India,” “the security of the state,” or “public order.”
It may be helpful at this point to look into whether other aspects of the law in India might impose constraints on how the Central Government would exercise its discretion to define a term that was left undefined in a statute. Article 73 of the Constitution of India provides that, subject to the provisions of the Constitution, the “executive power of the [Central Government] shall extend . . . to the matters with respect to which Parliament has the power to make laws.” As the Supreme Court of India has explained, this means the Central Government can issue executive directions relating to the matters dealt with in statute, so long as they are not contrary to the provisions of that law: “The executive power of the Union, under Article 73 extends to the matters with respect to which Parliament has power to make laws and hence, the field in which law could have been made, executive instructions may be issued in the absence of legislation in the field or if there is existing legislation, then to supplement it” (para. 35, emphasis added).
Note that in its attempt to define a term, the concerned ministry or the government may engage in public consultations. This is not as formalized as it is in the U.S. under the Administrative Procedure Act. As noted by one commentator, “[India] lack[s] a strong tradition of lawmakers engaging in public consultations and participation of other stakeholders in the process of drafting laws and regulation.” In recent years, a non-government organization, maintains a list of all the current draft legislations where public comments have been invited.
The Supreme Court may step in and define the term itself, if and when faced with an opportunity before it. It has powers under Article 141 of the Constitution. In a number of cases, the Court held that by issuing directions the Supreme Court was not taking over the functions of the legislature but merely filling up the vacuum until the legislature chose to make an appropriate law.
Now, since the Bill has been withdrawn, it is unclear what the government as well as the legislature plan with regards to data protection legislation in India. If there is a step forward in this direction, the Ministry of Electronics and Information Technology will likely call for public comments on the proposed legislation. In 2014, the Ministry of Law and Justice, a division of the Legislative Department, issued an Executive Order inviting pre-legislative consultation by every Ministry/Department before any legislative proposal is submitted to the Union Cabinet for consideration and approval. In the event a Department fails to call for comments on a proposed Bill, it is required to submit reasons for such an action, to the Union Cabinet.
In conclusion, as the process moves forward, it will be important to note how any new bill deals with the issue of data localization and defines important terms like “critical personal data.” Including such definitions would help the public engage in informed discussion about the actual implications of the legislative proposal.