India has unveiled for discussion its privacy legislation titled Personal Data Protection Bill, 2018. The proposed legislation borrows heavily from Europe’s General Data Protection Regulation (GDPR) and provides a comprehensive framework for collection, processing and sharing of personal data by individuals, entities and state. The proposed legislation provides clear definitions, horizontal application, extra-territorial jurisdiction, steep penalties for violations, data localization requirements and various exceptions mostly to the state in relation to processing of the personal data. One of most significant proposals in the proposed law relates to data localization.
Sections 40 and 41 of the proposed law provide that every data fiduciary—the bill’s term for entities collecting & processing personal data—in India shall ensure the storage of at least one serving copy of personal data on a server or datacenter located in India. However, government can provide exceptions to the above condition. The government can notify certain categories of personal data as critical personal data that would have to be stored in a datacenter located within India and no exception would be applicable to such data. The definition of ‘critical data’ is not provided in the proposed law and is left to the discretion of the government. The law further provides the terms under which the non-critical data can be transferred after keeping a ‘serving copy’ in India. Similar policy framework for data localisation has been proposed by the Reserve Bank of India (RBI) in relation to the companies engaged in payments business wherein all system providers have to ensure that the entire data relating to payment systems operated by them is stored in the systems located in India. This data should include the full end-to-end transaction details/information collected/carried/processed as part of the message/payment instruction. As per the RBI notification the above has to be implemented by October 15, 2018 by all payments companies in India.
The European GDPR from which the proposed Indian data protection law heavily borrows, allows sharing and transfer of data subject to certain conditions like the jurisdiction to which the data is being transferred should have a strong data protection law. However, it does not mandate that data or any part of it should be kept within EU or should not be transferred. Globally such stringent data localisation requirement is prevalent only in countries like China and Russia. It should be noted that the political and economic systems of these countries are different from India which is a vibrant democracy with strong rule of law.
One of the primary reasons given by the governments for enacting a data localization provisions is belief that having data on foreign servers located outside the country allows foreign governments access to personal data of domestic nationals which imposes a security risk; second most cited reason is better monitoring of data by domestic law enforcement agencies for law enforcement and lastly an economic rationale that such a requirement could spur growth of cloud based industries for domestic storing of data.
The concept of data localization is against the basic premise of open internet and free access to information. The growth of internet has resulted in dramatic reduction in costs of storing data which has benefitted Indian start-ups and other information technology based businesses. Most Indian start-ups use global cloud based data storing services with little or no consideration as to where data is stored except that it should be securely stored. This situation has largely been beneficial to Indian start-up and ITES ecosystem and their clients. The proposed data localization norms will add significant costs of doing business in terms of creating infrastructure to store and secure data locally. It is also possible that foreign companies and start-ups do not launch their new products or services in India in absence of compliance with local data localization norms. Already various US based technology companies have voiced their concerns on the proposed data localization norms and also said that said norms would impose additional costs and they may be forced to relook at their investment plans in India.
The proposed data protection legislation does many things right by ensuring that entities handling personal data are accountable in handling of personal data and follow robust security and legal polices. The law also tries to give control of personal data to the data subject where his/her consent has to be unambiguous and can be revoked at his/her discretion. However, the data localization norms seem protectionist in nature which are unlikely to do any good to Indian business and start-up ecosystem and would not improve the safety of data or privacy in any significant manner.
The proposed data protection is still in discussion stage and the government is seeking comments on various issues from stakeholders. However, the RBI guidelines on payments companies will be effective on October 15, 2018 unless extended or some clarification is issued by RBI to the relief of various global payment companies providing services in India.
The author is Managing Partner, Athena Legal, a New Delhi-based law firm