Introduction The term localisation generally refers to requirements for the physical storage of data within a country’s national boundaries. The issue of data localisation has been in light in India due to recent data protection bill and RBI regulations, promoting it.
Need for data localisation
- Storing of data locally is expected to help law enforcement agencies to access information that is needed for the detection of a crime or to gather evidence.
- Where data is not localised, the agencies need to rely on mutual legal assistance treaties (MLATs) to obtain access, delaying investigations.
- Local hosting of data will enhance its privacy and security by ensuring that an adequate level of protection is given to the data
- On-shoring global data could also create domestic jobs and skills in data storage and analytics too, as the Srikrishna report had pointed out.
Steps towards data localisation
Draft Digital Information Security in Healthcare Act, 2018 (DISHA)
- DISHA (Digital Information Security in Healthcare Act) was framed to enable the digital sharing of personal health records with hospitals and clinics, and between hospitals and clinics.
- To protect the privacy of individuals, draft indirectly empower the proposed National Electronic Health Authority to impose localisation requirements with respect to digital health data.
- RBI, under Section 10(2) of the Payments and Settlement Systems Act, 2007, issued a directive, imposing stringent data localisation requirements on all players in the Indian payments ecosystem.
- It required all payment system providers and their suppliers and intermediaries to store the entire data related to payment transactions only in India.
- It also covered the intermediaries and third-party vendors contracted to handle data on behalf of payment operators.
- Only the transaction having a cross border element is permitted to be stored outside India.
Draft Personal Data Protection Bill, 2018 In 2018, draft Personal Data Protection Bill, 2018 was submitted to the government by the Srikrishna Committee. Following are the salient features of the bill:
- The Bill regulates the processing of personal data of individuals (data principals) by government and private entities (data fiduciaries) incorporated in India and abroad.
- Bill provides rights to data owner regarding the processing, accessing and editing of data.
- The Bill requires that a serving copy of personal data be stored within the territory of India. Certain critical personal data must be stored solely within the country.
- Processing of individual’s data will be allowed only
- if Individual provides consent.
- In medical emergency
- or by the State for providing benefits.
- Data fiduciary must notify the data owner of the nature and purposes of data processing.
- It allows data processing in interest of national security, for legal proceedings, or for journalistic purposes.
- It provides for setting up of a national-level Data Protection Authority (DPA) to supervise and regulate data fiduciaries.
Draft e-commerce policy Draft e-commerce policy was released by the government in 2019. Following are the important features of the policy related to data localisation:
- It proposes the creation of a framework for imposing restrictions on cross-border data flow from specified sources including:
- data collected by IoT devices installed in public space, and
- data generated by users in India by various sources, including e-commerce platforms, social media, search engines.
- It restricts the sharing of sensitive data which has been collected or processed in India and stored abroad even with the permission of the consumer.
- Such data cannot be made available to a foreign government, without the prior permission of Indian authorities and immediate access to all such data is to be given to Indian authorities upon request.
- A sunset period of three years has been promised to the industry to develop a data storage facility.
Present laws providing for data localisation
IT Act, 2000 and IT rules 2011
- Section 43A of the IT Act provides for the payment of compensation for failing to maintain reasonable security practices in respect of sensitive personal data.
- The IT Rules issued in 2011 clarified the meaning of sensitive personal data and set out the norms for the collection, disclosure, storage and security of such information.
- Rules permitted a body corporate in India to transfer sensitive personal data to another entity or person, in India or abroad. But the person needs to ensure adequate data protection as mentioned in the rules.
- In general, the enforcement of these requirements, and as a result, compliance with them, has remained questionable.
Why are companies and countries reluctant about data localisation?
Companies are feeling that they would be at a disadvantage due to data localisation requirements because of the following reasons:
- It will increase the cost of companies due to the requirements of servers, the UPS, generators, cooling costs, building and personnel.
- Infrastructure in India is not yet developed to handle the huge data load. A Gartner study in 2015 found that India held just about 1.2 per cent of the world’s data centre infrastructure and 5.23 per cent in the Asia-Pacific region
- For any large e-commerce player in India, costs may go up between 10% and 50%.
- Big companies will not find it difficult to incur the cost, it will small scale e-commerce business that would suffer.
- It may defeat the objective of giving a boost to the start-up sector in India.
- localizing data will wind up hurting Indian companies that seek to integrate with the global companies.
Many countries also expressed their objective to attempts of data localisation
- EU described India’s data localisation requirements as “unnecessary, harmful, and likely to have negative effects on trade and investments.”
- EU is of the opinion that this move will hinder data transfers and complicate commercial exchanges, including in the context of EU-India bilateral negotiations on a possible free trade agreement.
- United States Trade lobby has already expressed their displeasure over India’s data localisation requirements and made it the major issue of discussion in the recent visit.
Is India the only country thinking of data localisation?
No, many developed and developing countries already have a stringent data protection regime, like:
- Canada and Australia protect their health data very carefully.
- Vietnam mandates one copy of data to be stored locally and for any company that collects user data to have a local office.
- China mandates strict data localisation in servers within its borders.
- Brazil, Japan, Korea and New Zealand have put in place data protection laws.
- Chile has recently announced the setting up of an independent data protection authority.
- Last but not the least EU’s recent General Data Protection Regulation (GDPR) is the latest addition to the list. Following are some of the key requirements of the GDPR for companies, to protect EU citizen data:
- Requiring the consent of subjects for data processing
- Anonymizing collected data to protect privacy
- Providing data breach notifications
- Safely handling the transfer of data across borders
- Requiring certain companies to appoint a data protection officer to oversee GDPR compliance.
Way forward The government should defer any general policy directives on localisation until a more robust study of the issues has been conducted. At the same time, India must also resist the pressure to enter into bilateral or multilateral trade agreements that constrain its ability to make future decisions on data localisation. India’s position on data localisation must ultimately be weighed against the government’s aspirations to create a ‘Digital India’ and the need for strategic thinking on whether a closed data economy or an open one would be more conducive to meeting those goals.