With the Joint Parliamentary Committee (JPC) Report on the Personal Data Protection Bill, 2019 (PDP Bill) being expected to be tabled sometime this week, debates around key issues in India’s data are now heading towards resolution. One such issue that has witnessed its fair share of contestation since the Justice Srikrishna Committee (JSK Committee) first mooted the draft Bill is data localisation. While this piece situates this issue in the context of the PDP Bill, sectoral mandates of localisation in India, especially in the context of payments and telecommunications data, have predated its adoption in the PDP Bill.
Four Reasons for Data Localisation
Entities processing personal data (data fiduciaries) of natural persons (data principals) of a country do not necessarily store such data in the same jurisdiction in which the data principal is located. The data fiduciaries’ choice of location of servers depends on several factors, such as costs, security considerations and the regulatory ecosystem of a jurisdiction.
Governments, however, argue that location of personal data in a different jurisdiction leads to several problems. First, it makes the personal data of resident data principals vulnerable to foreign surveillance because arguably governments, in whose jurisdictions such servers are located, will have better access to the data. Second, storage and transference of personal data of resident data principals to jurisdictions with lax data protection laws also makes their data vulnerable.
Third, it reduces the access of the domestic government of the data principals to this data thereby interfering with the discharge of their regulatory and law enforcement functions, including counter-terrorism and prevention of cyber attacks and cyber offences. This is because requests for such information are either denied citing law of the foreign country or its provisioning is often delayed given the inefficacious and time consuming MLAT (Mutual Legal Assistance Treaty) processes. Fourth, it leads to missed opportunities for the domestic industry that would otherwise be engaged in the provisioning of storage services in terms of foreign direct investment, creation of digital infrastructure and development of skilled personnel.
Data Localisation in the PDP Bill
Governments posit that these concerns can be countered by mandating data localisation. The requirement of data localisation has two aspects. First, the data of its residents should be physically stored on servers located within its territorial jurisdiction and second, restrictions are imposed on cross-border movement of this data. In India, this idea is adopted by the PDP Bill. It classifies data into three primary categories of personal, sensitive and critical personal data. This classification is made based on the likelihood of harm that may be caused to data subjects by processing of data. Based on such classification, it imposes differing requirements of localisation on data processed by data fiduciaries.
While in the case of personal data simpliciter there are no requirements for local storage or restrictions on cross-border transfer, for sensitive personal data, a live, serving copy of the data must be stored in India with cross-border transfer being allowed only with the explicit consent of the data principals and only to jurisdictions that the central government considers to have an adequate data protection framework. In the case of critical personal data, the data can be processed only in India and is allowed to be transferred outside India only on the basis of health emergencies or specific approval from the central government.
Concerns over Data Localisation
Although the Personal Data Protection Bill is a diluted version of the recommendations of the JSK Committee Report, in that it mandates localisation only for sensitive and critical personal data and not for all personal data, both the report and the PDP Bill have received significant backlash from various quarters on aspects of localisation and restrictions on cross-border flow. Notably, two members of the JSK Committee also placed their disagreements with the localisation requirements on record.
First, it is argued that such practices that restrict free flow of data will lead to a balkanisation of the “open, interoperable and unified” internet, which would strike at the very reason for its revolutionary potentialities.
Second, coming from a civil rights perspective, civil society has argued that local storage would lead to easier access of the Indian law enforcement agencies (LEAs) to personal data of data principals which coupled with overarching processing exemptions in the PDP Bill for the purposes of law enforcement would increase the probability of abuse of such data. It needs to be noted that when the JSK report had advocated for data localisation, the nature of exemptions to state-based processing it envisaged were more limited in nature compared to what the PDP Bill currently provides. It has also been argued that to ensure effective data protection for resident data principals, data protection laws should establish legal jurisdiction over the data fiduciaries rather than rely on territorial jurisdiction in relation to the servers.
Third, an from economic standpoint, industry stakeholders have raised concerns that localisation requirements would significantly increase compliance and operational costs in terms of higher data storage charges and security risks. Further, if other countries were to impose these requirements in reciprocation or retaliation, these could result in trade barriers that would disrupt the Indian IT-BPM industry.
The Way Forward
For these reasons, it has been argued that governments often overstate the benefits of data localisation requirements to further their populist and protectionist agenda so as to allay fears of threats to national identities and harness value from data, albeit in a myopic manner. As far as India is concerned, various reports indicate that localisation will form part of the enacted version of the PDP Bill.
However, there is scope for negotiating the manner of implementation, in a phased manner. Presently there are only private studies on the benefits and costs of localisation that provide differing estimates and effects of data localisation in India. While the JPC report and PDP Bill are being tabled, the government should, in parallel, commission an official study to understand the differing impact it would have on different kinds of data fiduciaries as also on the domestic industry. This would better inform parliamentary debates on the design of localisation requirements as also the schedule and manner of their implementation.
For a field of regulation that is still developing across jurisdictions to measure up to emerging issues that have inter-sectoral implications, informed policy making is all the more essential to bring the Indian data protection law into effect on a surer footing.
This is a first in a four-part series on key issues around India’s data policy.
Trishee Goyal is a project fellow at the Centre for Applied Law and Technology Research, Vidhi Centre for Legal Policy. The views expressed in this article are personal and do not represent the stand of this publication.