DATA LOCALISATION REQUIREMENTS UNDER DPDPA AND THE COMPANIES ACT, 2013

Introduction

The new data protection law in India, the Digital Personal Data Protection Act, 2023 (“DPDPA”) aims to protect the personal data of individuals from unauthorised use, transfer, or disclosure by regulating entities responsible for handling such data. While the new Indian data protection law does not prescribe a localisation requirement, Section 16(1) of the DPDPA authorises the government to notify countries to which personal data cannot be transferred. In addition to the DPDPA, businesses in India may be subject to other data localisation requirements depending upon the sector in which they operate. This note seeks to provide an overview of the data localisation requirements under the Companies Act, 2013 (“Companies Act”) and the rules issued there under.

Maintenance of Books of Accounts Under the Companies Act

Section 128(1) of the Companies Act requires every company to keep its books of accounts and other relevant books, papers, and financial statements (“Books of Accounts”) at its registered office. Books of Accounts includes records in respect of (a) amounts received and spent by the company, and matters in respect of which such amounts have been received and spent, (b) sales and purchases of goods and services by the company, and (c) assets and liabilities of the company. Indian courts have clarified that “other books and papers” means other books and papers of the same kind as books of accounts. The term “books and papers” includes books of accounts, deeds, vouchers, writings, documents, minutes and registers maintained in physical or electronic form. 

Such Books of Accounts are required to be maintained for a period not less than 8 financial years immediately preceding a financial year. However, in the event an investigation has been ordered by the government, then the records ought to be maintained for a longer period of time as per the directions provided by the government or until the investigation is concluded.

Data Localisation Requirements for Books of Accounts Maintained in Electronic Mode

Section 128(1) of the Companies Act also permits companies to maintain Books of Accounts in electronic mode (“Electronic Records”). As per the Companies (Accounts) Rules, 2014 (“Companies Accounts Rules”), the Electronic Records must (a) remain accessible in India, at all times, (b)  be retained in the format in which they were originally generated, sent or received, or in a format which accurately presents the information generated, sent or received, (c) be complete and remain unaltered. Further, there must be a proper system for storage, retrieval, display or printout of the Electronic Records as determined by the auditors or board of directors, and such records must not be disposed of or rendered unusable unless permitted by law.

The proviso to Rule 3(5) of the Companies Accounts Rules specifies that if companies maintain a back-up of Electronic Records, such back-ups (irrespective of whether they are maintained within or outside India) ought to be kept in servers physically located in India on a daily basis. Further, companies that use accounting software for maintaining their Electronic Records must only use software that (a) enables the recording of the audit trail of each transaction, (b) allows the creation of an edit log of each change made in the Electronic Records, along with tracking the date on when such changes were made, (c) does not permit the audit trail to be disabled at any time.

Penalties for Non-Compliance

If any individual within the company who has been tasked with the responsibility to maintain Books of Accounts contravenes any of the requirements prescribed under Section 128 of the Companies Act or Rule 3 of the Companies Accounts Rules, such an individual may be punished with fine which shall not be less than INR 50,000  but which may extend to INR 5,00,000.  Any person within the company who has been subject to penalty for non-compliance with Section 128 of the Companies Act commits such a breach again within 3 years of issuance of the original penalty order may be liable to pay a fine up to INR 10,00,000. 

Theoretically, there is no bar on the number of times adjudication may occur if the offence is a continuing one. Accordingly, we recommend that apart from complying with the data processing requirements specified under the new data protection law in India, DPDPA, businesses also comply with the data localisation requirements specified under the Companies Act and the Companies Accounts Rules. Such compliance may be ensured by seeking assistance from a data privacy law firm in India.

Best Practices

While there is no single best practice for the implementation of the requirements relating to the maintenance of Electronic Records, as a leading data privacy law firm in India, we believe that the obligation to maintain a back-up of Electronic Records in servers physically located in India may be fulfilled by adopting data mirroring – a process where data is replicated to a local or remote storage medium. Typically, database mirroring requires a principal and mirrored server. The principal server is used as the main database and the mirrored server is maintained to ensure that back-ups are in place in case the principal server fails. These services are offered by Microsoft. We recommend that companies provide access to Electronic Records to only a few selected individuals within the organisation, in order to ensure the security and integrity of such records. Additionally, companies must enforce policies in relation to the maintenance of Electronic Records.