The Joint Parliamentary Committee reviewing the Personal Data Protection (PDP) Bill has recommended data localisation because of the economic, national security, and privacy benefits it provides. Specifically, all sensitive and critical personal data must be stored in India and can only be transferred outside India under certain conditions, according to the committee's report. Transferring sensitive personal data outside India based on contract or intra-group scheme Sensitive personal data can be transferred outside India for processing when explicit consent is given by the data principal for such transfer, and where the transfer is made pursuant to a contract or intra-group scheme approved by the Data Protection Authority in consultation with the Central Government. Such schemes must ensure effective protection of the rights of the data principal, liability of the data fiduciary for harm caused due to non-compliance of the provisions of the scheme, and should not be against public policy or State policy. Sensitive personal data is personal data, which may reveal, be related to, or constitute — financial data, health data, official identifier, sex life, sexual orientation, biometric data, genetic data, transgender status, intersex status, caste or tribe, religious or political belief or affiliation; any other data categorised as sensitive personal data by the government based on section 15 of the Bill. Critical personal data is not defined in the Bill and will be determined by the Central Government, the Bill said. Earlier draft: In the Personal Data Protection (PDP) Bill 2019, the DPA did not have to consult the Central Government before approving a contract or intra-group scheme and the clause that…
