The PDPB, 2019 has enumerated restriction on transfer of sensitive personal data and critical personal data outside India. i.e. Data Localisation.
sensitive personal data – means such personal data, which may, reveal, be related to, or constitute to financial, health, official identifier, sexual orientation, biometric, genetic, caste or tribe, religious or political belief or affiliation.
It must be stored only in India, though it can be transferred outside India for the purpose of processing with explicit consent by the data principal, where –
- the transfer is made pursuant to a contract or intra-group scheme approved by the Authority.
- the Central Government, after consultation with the Authority, has allowed the transfer to a country/ entity/ class of entity in a country/ an international organisation.
- the transfer is approved by the Authority.
critical personal data – means such personal data as may be notified by the Central Government to be the critical personal data.
It must be stored and processed only in India. It can only be transferred outside India, where such transfer is –
- to a person or entity engaged in the provision of health services or emergency services. However, such transfers shall be notified to the Authority; or
- to a country/ any entity/ class of entity in a country/ an international organisation, where the Central Government deems it permissible and is of opinion that it does not prejudicially affect the security and strategic interest of the State.