Data localisation is a key aspect in the Indian government’s cloud computing policy, the RBI’s mandate for financial data and the successive data protection bills that have been proposed.
The introduction of data localisation norms in the proposed data protection bill in India has not been well received by the relevant stakeholders. This article contends that given the recent history of India and its future economic aspirations, “data protection” and not data localisation is the way forward.
The economic reform of 1991 popularly known as the “Liberalization, Privatization and Globalization” (LPG model) was directed at making the Indian economy a globally competitive economy along with also being the fastest growing one.
The Indian Government thus (i) was prompted to relax its restrictions on trade between India and other countries; (ii) introduced structural reforms to remove rigidities in various segments of the Indian economy; and (iii) introduced stabilisation measures like balance of payments, control of inflation etc.
Fast forward to thirty years later, while India is hailed as a technological superpower and has one of the largest data processing industry, it is still grappling with the provisions of current legal framework that has been found to be lacking and not equipped to deal with challenges posed to individuals in the realm of data protection.
In 2017, the Supreme Court of India declared privacy to be a fundamental right. India since then witnessed two drafts of the Personal Data Protection Bill (“PDPB”), the first one in 2018 and the other in 2019. The PDPB, 2018 was a pathbreaking one in many aspects inasmuch as it sought to provide a definitive structure to the various practices adopted or desirable to be adopted by companies in order to protect the personal data collected by them.
However, the PDPB, 2018 also incorporated stringent blanket provisions on data localisation, which is to say that the intention was that all data fiduciaries (data controller equivalent in GDPR) were required to store a copy of the personal data collected in India. For international transfer of sensitive personal data under standard contractual clauses or intra-group schemes, there were requirements of periodical reporting to and certifications from the Data Protection Authority (“DPA”).
Subsequently, due to the criticism received primarily around data localisation norms, the Bill was revised and the PDPB, 2019 was introduced in the Lok Sabha (Upper House). Understanding the criticality of this Bill, it was referred to a Joint Parliamentary Committee (“JPC”), which is currently engaged in a process of public consultation and is reviewing the PDPB, 2019 accordingly.
The PDPB, 2019 removes the previously laid down mandatory storage of all personal data in the country. Further, in a departure from the PDPB, 2018, the current bill has relaxed data localisation restrictions and only “sensitive personal data” and “critical personal data” have been held against the rigours of data localisation.
The PDPB, 2019 also removes the data mirroring requirement for personal data. However, there are valid reservations whether segregation and localisation at the same time would be feasible. A snapshot of the layered approach can be fathomed as follows:
Sensitive personal data – It must be stored in India, but a copy of such data may be transferred outside of India in accordance with the following data transfer requirements:
- The data principal provides explicit consent.
- The transfer is made pursuant to a contract or intra-group scheme approved by the DPA.
- The government has deemed a country or class of entities within a country to provide adequate protection.
- The DPA has specifically authorized the transfer.
Sensitive personal data means such personal data, which may, reveal, be related to, or constitute financial data, health data, official identifier, sex life, sexual orientation, biometric data, genetic data, transgender status, intersex status, caste or tribe, religious or political belief or affiliation, any other data categorised as sensitive personal data.
Critical personal data – It must be processed in India, except under emergency circumstances or where the government has approved the transfer, taking into account India’s security and strategic interests. It is pertinent to note that the Bill does not define this category of data and defers to the government for the definition through subsequent notification.
The narrative that the Indian government has woven in favour of data localisation is the protection of personal data of Indian citizens, including protection for access of foreign governments coupled with the concerns of national security, improved data security; easier access to data and control for national regulators, enforcers and supervisors; and protection of domestic industry; creation of local jobs by necessitating the establishment of domestic data centres.
While the arguments in favour of data localisation are legitimate concerns, there is little evidence to support that data localisation has in fact led to these outcomes. On the contrary, there are studies that have concluded that when it comes to data security, investment in infrastructure and maintenance is more critical than the physical location of data in itself.
Moreover, in the event the companies decide to exit a particular market due to increased costs and or inability to provide services, the reverse may be true and on the contrary we may see instances of drastic reduction of jobs. Data localisation will only benefit such domestic entities that conduct business domestically while increasing costs of domestic companies that are doing international business or business with international companies.
It is hoped that the legislation will finally address how personal data is to be protected whilst it traverses international borders, remove “digital trade barriers” rather than emphasise where the data is physically located and above all protect the privacy of Indian citizens.
While countries like China and Russia have data localisation laws, it is recommended that India looks towards the European Union and the countries like the United States, Australia, Singapore which have a robust and healthy data protection regime in place which facilitates international trade and globalisation rather than impede it
By Tripti Dhar, Partner, Reina Legal LLP, India