Data Localisation: What’s in it for us?
Data localization appears to be a relatively new concept for India. Before going any further, it is important to understand what really data localization is. Data localization is the process of localizing the citizen’s data to one’s home country for its processing, storage, and collection before it goes through the process of being transferred to an international level. The same is done with the motive of subjecting it to one’s local data protection and privacy laws. It bases itself on the full-fledged concept of data sovereignty. Various legislations as well as legislators are debating the hot topics of data localization, to which, India is gradually progressing.
The framework for the protection of personal data in India is contained within The Personal Data Protection Bill, 2018 (“Bill”) as well as the Data Protection Committee’s (“Committee”) Report (released on 27 July 2018). Further, another draft legislation, the Digital Information Security in Healthcare Act was also published by the Ministry of Health and Welfare. A mandate to localize data was also issued by RBI. All these combined could be termed as the Data Protection Framework. All these legislative steps could be viewed as a strong intent of the Government to protect national as well as individual privacy as well as provide security to both ends. Data localization is aimed to enforce better control. The initial bloom could be comprehended from the initial steps which were reflected in the Companies Act, 2013. These were that the required copies of the maintenance of books of accounts in electronic form were to be kept in servers that were physically located only in India.
The Report and the Bill
Compelling arguments are provided by the Committee’s Report, Chapter 6 on the subject of data transfer outside India. It is noted by the committee that the Free flow of data (Laissez-Faire mode) is the norm and restrictions are an exception. The importance of data protection and that when data crosses borders, it embarks upon the privacy of people is emphasized by the committee. It was the recommendation of the committee that even when the data is so sent with the aim of crossing international borders, Indian data protection and privacy laws would still apply and the data would be needed to be stored locally. Further, it may be left to the decision of the Central Government that data of a certain kind may not cross the border.
Further, when taken into consideration, Sections 40 and 41: it is the Central Government who shall have the power to categorize data into sensitive personal data which is critical in nature, which could only be processed in India. Non-critical data transfer shall be allowed when a copy of it is stored in India. Personal data other than critical personal data shall be transferred cross-border by the virtue of model contract clauses which would bring direct liability to the data principal of the transferor.
Data Localisation is a Mandate
Recently the Reserve Bank of India (RBI) issued a mandate on 9th of April, 2018 which required all fin-tech companies, 3rd party vendors, all payment system providers, and their intermediaries, service providers to localize their data which includes ‘payment instruction’, ‘full end-to-end transaction details’ as well as other information to be processed, carried, collected which is covered under the ambit of what is to be stored a and that their data must be stored only in India. These records are required to be maintained and thereafter audited annually and produced before the RBI.
National E-Commerce Policy
The National e-commerce policy which relates to the subject matter of the digital economy provides for several measures that are aimed at data localization. The legislation is aimed at creating a facultative eco-system which is to promote India’s digital ecosystem and specifically its digital economy. It involves various aspects such as data generated by users through the use of various social platforms such as social media, e-commerce, search engines, and community data (through IoT) devices. Such data is required to be stored only in India and the transfer of such data outside the Indian boundary is to be regulated. However, localization is not to be seen as an absolute step and there could be various steps where a cross-border transfer could very well become a possibility with the instances of cloud computing, such programs which do not involve personal as well as community implications, as well as other exceptions which have been expressed in the Committee’s report.
Proposed Amendments to the Drugs & Cosmetic Rules, 1945
The recently proposed amendment which is aimed at the regulation for e-pharmacies provides for that for e-pharmacies to conduct business in India, web-portals have to be established in the country and data has to be stored within the country. The draft states that the data generated or mirrored, shall in no way, and under no means, be sent or stored outside India.
It becomes necessary that data centers are regulated and their functions are in consonance with the law for effective data localization. It becomes vital to note that the issues which arise with data localization involve not cybersecurity but also that of jurisdiction. Economies of scale and infrastructural architecture across the globe has resulted in various cloud computing software taking advantage of the same. A threat could very easily be transferred from one part of the word to another. Telstra, in 2017, issued a Cyber Security Report which brought to light that India’s businesses were at the highest risk of cybersecurity attacks and also that Indian organizations are the ones experiencing the highest number of threats amongst all Asian countries that were surveyed.
Cost-Benefit Analysis by the Committee
Chapter 6 of the Committee’s report contains an analysis of what may be the effects of data localization, its advantaged as well as repercussions.
The benefits of Data Localization include:
- Reduced Costs: With data being available easily and reduction in time and costs due to interaction and co-ordination with foreign entities to acquire data, would lead to a direct reduction in costs involved in the enforcement of Indian Laws
- Reduced Security Risk: Cross-border transfers involve security risk due to the use of fiber optic cable which makes networks vulnerable to various attacks. This risk is reduced by the localization of data.
- Boost to Digital Infrastructure: Data collection would lead to a huge boost in the nation’s Digital Infrastructure systems which would further lead us to see innovations in artificial intelligence as well.
- Sovereignty: Data localization would disable any foreign entity to keep surveillance over India’s affairs.
Further, the report also mentions the costs of data localization. According to it, such acts would lead to burdening on various domestic firms who use various cloud computing software for their day to day activities. Further, a possibility could also be the digital infrastructure getting under monopoly. However, the committee is of the view that the benefits outweigh the cost and it believes that the Indian market will be potentially successful in dealing with such infrastructure.