Data localisation only for specific purposes: IT secretary

The draft Digital Personal Data Protection Rules will take a targeted approach to data localisation, affecting only specific categories of personal data and for specific purposes, information technology (IT) secretary S Krishnan said, adding that there are no easy solutions to verifying children’s age online.

Krishnan’s statement comes soon after the Centre released the draft rules for public consultation, setting the stage for operationalising India’s personal data protection regime more than 16 months after the act was notified in August 2023.

In an interview to HT, Krishnan emphasised that the data localisation provision is limited in scope and will not automatically apply. “This could potentially only be for certain limited categories [of personal data], and for certain limited purposes,” he said, but disagreed with its characterisation as a broad localisation mandate.

Earlier versions of the bill had classified data into personal, sensitive, and critical categories, with different localisation requirements for each. The current approach, however, empowers the government to specify countries where data cannot be transferred under the act and through the rules allows a committee to recommend what personal data and “traffic data” significant data fiduciaries must keep within India. “Traffic data” here refers to “flow pattern metadata”, he said.

“There are worries that for certain kinds of data, we have to protect Indian interests. And this is true of every country in the world, and other western countries,” Krishnan said. “There could be concerns about health data,” he said as an example.

Sectoral regulators like SEBI and RBI will retain their authority over cross-border data flows, in line with section 16(2) of the Act, and will not have to come to the committee proposed in the rules, he confirmed. Currently, financial information, payment data, and insurance data must be stored within India, with payment data copies allowed overseas only for completing foreign transactions.

On children’s privacy, Krishnan acknowledged the fundamental challenges in implementing parental consent requirements. “The problem really is that while wanting to protect, you are actually forcing the sharing of more data. So, you have to be very careful,” he said.

Unlike Australia, India has no plans to ban children from social media platforms, he added.

The government wants to avoid requiring everyone to provide government IDs online. “If I start insisting that prove to me you are a child or an adult, then I have to ask for government ID and additional information which has its own set of problems,” he explained. He acknowledged that relying on self-declaration by children could be prone to abuse.

Krishnan indicated that technical solutions, including behavioural patterns, could help detect children online, which is why the draft rules include an exemption for such tracking. He noted different approaches might be needed for different services. “On a social network, there is potentially predatory behaviour. That’s why you start getting worried,” he said, while acknowledging that news websites such as hindustantimes.com might need different standards since “there is no content that a child cannot look at” and age verification might require greater tracking than a website was already engaged in.

For children’s age verification, Krishnan suggested virtual tokens could potentially query authenticated parentage records, possibly using digitised school enrollment data, but only if compatible with schools’ purpose limitation mandates. The government expects companies to innovate while respecting data minimisation principles as technology and digital adoption progress.

The ministry plans to give organisations 24 months for compliance after the rules are notified. The National eGovernance Division is conducting training workshops for government entities nationwide, with plans for at least 100 sessions. “We have been sensitising them, we have been running training programmes, we have been asking them [government departments] to get ready because they are also subject to the fines,” Krishnan said.

On data breaches, he clarified that while they have tried to harmonise reporting requirements with other regulations like Cert-In directions and Telecom Cyber Security Rules, “the purpose of and intent behind reporting [cybersecurity incidents under different rules] could be a little different.”

For instance, cyber attacks might affect infrastructure without compromising personal data, thus not triggering DPDP Act provisions.

While the DPDP Act doesn’t provide for user compensation in breach cases, Krishnan said that remedies will continue to be available under tort law.

The rules give some discretionary powers to the Data Protection Board chairperson for “emergent situations,” though this isn’t specifically defined. “We can’t envisage everything. Some things, you have to leave to the discretion of the chairperson who could be a high official and understands what an emergent situation is within the context of the Act,” Krishnan explained.

On law enforcement access to data, Krishnan clarified that this remains under the Information Technology Act’s purview.

However, under Section 36 of the DPDP Act and proposed Rule 22, the government can request information from the data protection board, data fiduciaries, or intermediaries, with provisions to restrict disclosure when national security is concerned.