Data protection bill: Why the data localisation clause is not convincing enough
The Personal Data Protection Bill, 2018, which was India’s latest effort to bridge the gap between outdated data protection laws and modern data processing techniques, was expected to overhaul the country’s data ecosystem. However, among the many radical changes recommended in the Bill, the requirement of ‘data localisation’ has taken the industry by surprise. More particularly, it has been termed as an impediment to cloud-based business providing services.
Data localisation broadly means that a live copy of all ‘personal data’ collected within India must be stored in Indian servers or data centres. In addition, the Bill allows the government to deem some personal data as ‘critical,’ which is required to be stored and processed only in the country.
The rationale behind data localisation is to give the government better access to information, strengthen the domestic law against crimes, protect critical personal data and prevent foreign surveillance, boost domestic trade, create employment and harness data for futuristic artificial intelligence-based services.
However, the case for data localisation is not very convincing if these reasons are analysed in depth as several questions remain unanswered. For instance, it is not clear how maintaining data in India will make it more secure or reduce foreign surveillance. It also does not boost domestic trade as countries that have implemented such measures have gravely suffered in the long run with their gross domestic product falling in a staggered manner. This is mainly because the costs of services increase since players providing storage services locally are very few. They also suddenly find themselves in a dominant position in the market. Many services such as email, social networking, instant messaging, online multimedia distribution, news aggregation, etc. are available for free today because storage is not required in each geography where they operate. Ultimately, the costs incurred by these service providers to comply with the data localisation requirements will trickle down to end users, meaning that such services may no longer be available free of charge.
Ironically, as a double setback and contrary to the expert committee’s rationale, startups in India may suffer equally as they will no longer be able to leverage well-established, experienced, high-quality and cost-effective offshore cloud services.
Since the primary reason for localisation is to grant the government access to personal data, the Bill should have addressed in detail the surveillance powers of the government. However, it does not prescribe the grounds properly and leaves it open-ended by stating that processing personal data in the interest of the security of the State will be permitted according to the law, and if it is necessary, for and proportionate to such interests being achieved.
Another important aspect is that ‘critical personal data’ has to reside in India only. However, what constitutes ‘critical personal data’ is neither defined nor have any parameters been provided. The industry will continue to be rife with speculation and uncertainty in this regard. One of the dissenting members of the expert committee even commented that the data localisation requirement in the Bill is regressive and goes against the fundamental tenets of a liberal economy. More importantly, localisation does not guarantee data security. These sentiments were also widely reflected in the public consultation held earlier this year, which was followed after a white paper was released by the expert committee in December 2017.
While the Bill draws on several aspects from the European Union’s General Data Protection Regulation, the latter does not impose overarching data localisation requirements. It only prescribes strict conditions for the transfer of personal data outside the EU. In other words, the Bill goes a step further than the GDPR, which is regarded as one of the toughest data protection legislations historically.
Notably, data localisation requirements have also been recently suggested by the Reserve Bank of India and in the draft e-commerce policy. Several other sectoral regulators also think along the same lines. The question thus arises as to whether data localisation is an easy surveillance tool for the government disguised under the garb of protectionist measures such as making data accessible and bolstering local industries, or a genuine effort towards securing the rights of owners of personal data. Undoubtedly, the industry (and more importantly the consumers), which is otherwise rapidly moving towards global convergence, is caught in this crossfire. Bringing more stringent mutual legal assistance treaties or ‘MLATs’ and better enforcing those treaties may have been a more suitable approach at this stage.
This is the first in a five-part series that analyses the latest data protection bill.
Harsh Walia is an associate partner at law firm Khaitan & Co. based in Delhi.