Data Protection Bill, 2021: The data localisation conundrum

While data localisation is favourable for India’s objectives on national security and privacy, business efficiency should be kept in mind too.

Data Protection Bill, 2021: The data localisation conundrum
The JPC report has also recommended formulation of a comprehensive data localisation policy. (Reuters)

By Abir Roy

In line with its earlier versions, the proposed Data Protection Bill, 2021 (2021 Bill) by the Joint Parliamentary Committee (JPC) has advocated data localisation and emphasised on India’s strategic objectives regarding national security, privacy, and building a domestic data economy. Clause 33 and 34 of the 2021 Bill provide for data localisation and conditional cross-border data transfers. The JPC report has also recommended formulation of a comprehensive data localisation policy. It gives a flavour of retrospectivity to the provision, and has recommended that concrete steps be taken by the government to ensure that a mirror copy of the sensitive personal data (SPD) and critical personal data (CPD) already with foreign entities be mandatorily brought to India timely.

Under Clause 33, the 2021 Bill specifies that SPD may be transferred outside India subject to fulfilment of certain conditions; however, they will be stored in India itself. CPD can be processed only in India, however, the term still awaits definition. Clause 34 adds significant granularity to the existing governance process of cross-border data transfer under Rule 7 Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011. Under the 2021 Bill, cross-border data transfer is allowed only when explicit consent of data principal is taken. Additionally, such transfers are to be made pursuant to a contract or intra-group scheme approved by the Authority in consultation with the Centre, adjudged based on public policy consideration and adequate data protection measures are to be taken by the data fiduciary corresponding to foreign government laws and availability of enforcement powers.

Speaking of the financial sector regulator, RBI, vide its 2018 circular, mandated data localisation for payment systems data. It even took enforcement measures against MasterCard and Amex for non-conformity with the same.

Data localisation is not unique to India and several countries have incorporated it. US law requires defence-related data to be localised, Australia has sectoral regulation for localising health data, Russia mandates localisation of all its citizens’ personal data, China requires data concerning critical information infrastructure and important personal information to be localised, Indonesian law requires localisation of all public services data, and the EU allows for conditional data transfer. Many bilateral and multilateral agreements exist as well. These include countries committing to identical data protection norms and commitments towards cross-border data transfer and data localisation, examples being the Osaka Track (2019), The Clarifying Lawful Overseas Use of Data (CLOUD) Act (2018), Comprehensive and Progressive Agreement for Trans-Pacific Partnership (2018), Digital Economy Agreement (DEA), (2020), among others.

The primary argument against data localisation is that it will increase cost of business. According to a report from the Leviathan Security Group, data localisation procedures increase the cost of hosting data by 30-60% at the business level because centralised data storage and processing is possible online due to cloud computing’s economies of scale and a seamless global internet. When governments dismantle this, the cost of conducting business and compliance increases enormously. Increased expenses bar market entry for start-ups— operating on unit economics and EBITDA—stifling innovation and lowering long-term competitiveness.

Furthermore, the Meta Platform in its filing to the US Securities and Exchange Commission, has stated that data localisation in India will increase business cost and complexity in terms of service delivery because of the extensive and tiered process of government approval and consultation required for cross-border transfer of data under the 2021 Bill. The governmental approval requirement for transfer of SPD has been seen as an issue by many start-ups.

Taking a cue from the changing international relations, the JPC has pushed for data localisation based on data sovereignty and democratic control over data for enforcement measures. The Draft e-Commerce Policy in India also proposes data localisation measures to keep data secure, derive economic benefits and create employment opportunities. The 2018 Justice Srikrishna Committee Report emphasised harnessing of data and propelling the growth of AI and technology through localisation of data.

According to a survey by the US Chamber of Commerce on the benefits of data centres, it was found that they create an average of 1,700 direct and indirect jobs and generate $243.5 million in output within a state. Juxtaposing this in the Indian context, where India is positioned as a strategic and significant digital market, data localisation would require capital investment by foreign firms for setting up data centres in India with simultaneous job-creation, which may outweigh the repercussions of data localisation.

The debate on data localisation is between sovereign interest and business efficiency. While sectoral regulators like RBI have mandated it, the arguments from both camps deserve consideration. It will be interesting to see how the government accommodates their concerns as well as the industry’s interests.

The writer is founder and advocate, Sarvada Legal.

Get live Share Market updates and latest India News and business news on Financial Express. Download Financial Express App for latest business news.

First published on: 16-03-2022 at 12:45:00 am