Date : June 27, 2019
Data localisation appears to be a relatively new concept for India. Before going any further, it is important to understand what really data localisation is. Data localisation is the process localising the citizen’s data to one’s home country for its processing, storage and collection before it goes through the process of being transferred to an international level. The same is done with the motive of subjecting it to one’s local data protection and privacy laws. It bases itself on the full-fledged concept of data sovereignty. Various legislations as well as legislators are debating hot topic of data localisation, to which, India is gradually progressing.
The framework for protection of personal data in India is contained within The Personal Data Protection Bill, 2018 ("Bill") as well as the Data Protection Committee's ("Committee") Report (released on 27 July 2018). Further, another draft legislation, the Digital Information Security in Healthcare Act was also published by the Ministry of Health and Welfare. A mandate to localise data was also issued by RBI. All these combined could be termed as the Data Protection Framework. All these legislative steps could be viewed as a strong intent of the Government to protect national as well as individual privacy as well as provide security to both ends. Data localisation is aimed to enforce better control. The initial bloom could be comprehended from the initial steps which were reflected in the Companies Act, 2013. These were that the required copies of maintenance of books of accounts in electronic form were to be kept in servers which were physically located only in India.
The Report and the Bill
Compelling arguments are provided by Committee’s Report, Chapter 6 on the subject of data transfer outside India. It is noted by the committee that Free flow of data (Laissez Faire mode) is the norm and restrictions are an exception. The importance of data protection and that when data crosses borders, it embarks upon the privacy of people is emphasized by the committee. It was the recommendation of the committee that even when the data is so sent with the aim of crossing international borders, Indian data protection and privacy laws would still apply and the data would be needed to be stored locally. Further, it may be left to the decision of the Central Government that data of a certain kind may not cross border.
Further, when taken into consideration, Sections 40 and 41: it is the Central Government who shall have the power to categorise data into sensitive personal data which is critical in nature, which could only be processed in India. Non-critical data transfer shall be allowed when a copy of it is stored in India. Personal data other than critical personal data shall be transferred cross-border by the virtue of model contract clauses which would bring direct liability to the data principal of the transferor.
Data Localisation as a Mandate
Recently the Reserve Bank of India (RBI) issued a mandate on 9th of April, 2018 which required all fin-tech companies, 3rd party vendors, all payment system providers and their intermediaries, service providers to localise their data which includes ‘payment instruction’, ‘full end-to-end transaction details’ as well as other information to be processed, carried, collected which is covered under the ambit of what is to be stored a and that their data must be stored only in India. These records are required to be maintained and thereafter audited annually and produced before the RBI.
National E-Commerce Policy
The National e-commerce policy which relates to the subject matter of digital economy provides for several measures which are aimed at data localisation. The legislation is aimed at creating a facultative eco-system which is to promote India’s digital ecosystem and specifically its digital economy. It involves various aspects such as data generated by user through the use of various social platforms such as social media, e-commerce, search engines and community data (through IoT) devices. Such data is required to be stored only in India and transfer of such data outside the Indian boundary is to be regulated. However, localisation is not to be seen as an absolute step and there could be various steps where cross-border transfer could very well become a possibility with the instances of cloud computing, such programs which do not involve personal as well as community implications, as well as other exceptions which have been expressed in the Committee’s report.
Proposed Amendments to the Drugs & Cosmetic Rules, 1945
The recently proposed amendment which is aimed at the regulation for e-pharmacies provides for that for e-pharmacies to conduct business in India, web-portals have to be established in the country and data has to be stored within the country. The draft states that the data generated or mirrored, shall in no way, and under no means, be sent or stored outside India.
It becomes necessary that data centres are regulated and their functions are in consonance with the law for effective data localisation. It becomes vital to note that the issues which arise with data localisation involve not cyber security but also that of jurisdiction. Economies of scale and infrastructural architecture across the globe has resulted in various cloud computing software taking advantage of the same. A threat could very easily be transferred from one part of the word to another. Telstra, in 2017, issued a Cyber Security Report which brought to light that India’s businesses were at the highest risk of cyber security attacks and also that Indian Organisation are the ones experiencing highest number of threats amongst all Asian countries that were surveyed.
Cost-Benefit Analysis by the Committee
Chapter 6 of the Committee’s report contains an analysis of what may be the effects of data localization, its advantaged as well as repercussions.
The benefits of Data Localization include:
Further, the report also mentions the costs of data localisation. According to it, such acts would lead to burdening on various domestic firms who use various cloud computing software for their day to day activities. Further, a possibility could also be the digital infrastructure getting under monopoly. However, the committee is of the view that the benefits outweigh the cost and it believes that the Indian market will be potentially successful in dealing with such infrastructure.