Contours of Data Localisation in India

Contributed by: Samvad Partners






Introduction


While the early part of the century was a liberating one for proponents of data sharing and data globalisation, this trend has changed in the past few years, with laws across the world moving toward restrictive sharing of data and localisation of data.


This statement is especially true of the India regime with respect to data sharing. From not having a framework at all for data sharing a few years back, to having draft rules with respect to the same, the India regulators have finally woken up to the need to regulate data sharing.


What is data localisation?


Very simply put, data localisation means the practice of storing data on device(s) that are physically present within the borders of the country where the data is generated. Data localisation is usually undertaken by either restricting transfer of data outside the jurisdiction or by mandatorily requiring that data is stored locally.


In India, the concept of data localisation has been introduced through a variety of regulatory updates in the past few years. The Personal Data Protection Bill, 2019 (“PDP”) in its earliest form, required that all personal data be necessarily stored locally in India. However, this has since been relaxed in the updated draft of the PDP and now only requires sensitive and critical personal data be stored locally. Similarly, the Reserve Bank of India (“RBI”) pursuant to a notification dated April 6, 2018 regarding Storage of Payment System Data, mandated that all systems providers ensure that the entire data relating to payment systems operated by them be stored exclusively in India. The time period for compliance with this requirement was six months from the date of the notice, without any exceptions. However, the RBI later clarified that while data could be sent outside India for processing, no copy of the data could be kept outside India.


While data localisation, as a principle seems to be one to stay, the positives and drawbacks are both aplenty. Below are a few key considerations in this regard.


Rights of data subjects


First and foremost, data localisation has been touted as an important tool in enforcing rights available to data subjects by ensuring that data collected from Indian subjects continues to be governed by Indian laws, and the rights are enforced by relevant Indian agencies. In other words, with data localisation in India, Indian lawmakers will have jurisdiction to prescribe laws with respect to how data localisation must be undertaken, as well as frame the scope of rights of data subjects. Ostensibly, this could be looked at as giving data subjects more control over the data they share and provide appropriate recourse in case of misuse. In a country like India, where the data privacy regime is still evolving and the concept of data ownership is gaining more importance, the general public is becoming conscious of personal data and data rights. Consequently, the ability to have more control over one’s data and easy access to any recourse for violation of data rights, is a welcome change.


However, while this is true, there is also a counter view that the scope and extent of data surveillance by regulatory authorities is likely to increase. With ease of access to personal data of an individual, regulatory and governmental authorities could easily keep track of, and monitor, various aspects of an individual’s life. This of course could potentially result in curtailment of certain rights of individuals, such as the freedom of speech.


The PDP, in its current draft contains a provision which allows the state to process personal data for “the exercise of any function of the state” without the consent of the individual. Additionally, the state is also allowed to process personal data without consent of the users, in case of “breakdown of public order”. The presence of such broad and ambiguous language is quite concerning, since this can result in possible surveillance of individuals by the state for unjustified reasons. However, there is also a bigger concern in the PDP, because any agency of the government can be exempt from application of the PDP, if the central government is satisfied that it is necessary “in the interest of sovereignty and integrity of India, the security of the State, friendly relations with foreign States, public order”. This, is exacerbated by the fact that India does not have any robust laws with respect to surveillance by state authorities.


Cost of conducting business


Another point to note while discussing data localisation is that the PDP provides that sensitive personal data must be stored in India and cannot ordinarily be transferred out of India except if the central government has approved such transfer. Further, the PDP also requires that all critical personal data must necessarily be processed in India. The term critical personal data has not been specifically defined in the PDP and has been left to be notified by the Central Government.


This restriction on transfer of such data will inevitably cause an increase in costs in conducting business in India by non-Indian entities. For example, any financial or healthcare services provider that collects and processes sensitive personal data from Indian data subjects, will have to necessarily store such sensitive personal data in India. This will either need to be done through establishment of local data centres so as to store such data or could be done by partnering with India service providers that can store data locally using existing systems. In either case such storing of data locally will result in increase in cost of doing business for such organisations. Evidently, this increase in cost of doing business will not be restricted to only non-India entities operating in India. Even local businesses will have to invest in storing data locally and will not be able to store data using the cloud services of companies that provide data hosting services and servers, which till now, has been a fairly common practice. Additionally, organisations providing services of data storage and servers will also have to consider operating a local data storage method in India so as to fully cater to its Indian clients. This requirement could potentially be discouraging for foreign entities looking to enter the Indian market.


Constitutionality


The right to privacy as a fundamental constitutional right, is an established principle by virtue of the landmark judgment, by the Hon’ble Supreme Court of India, in K.S. Puttuswamy v. Union of India. The judgement very importantly states that any infringement upon the right to privacy of an individual must satisfy the standard of proportionality. In this context, any possible overreach by the data protection authority prescribed under the PDP or by any governmental authority in terms of governing personal data will be open to being contested in a court of law, and will necessarily have to satisfy the requirements under the Puttuswamy judgement, including the test of proportionality. Ironically, while judicial intervention is possible, such intervention would need to be as a consequence of an act of infringement. This could lead to vulnerability of data subjects and their data, at the hands of the data protection authority and governmental agencies, as a result of overreach. However, given that the PDP is still in the form of a bill and has not yet been enacted, we will have to wait and see if such constitutionality is questioned.


Data localization in other jurisdictions


Apart from India, multiple jurisdictions around the world have also contemplated the concept of data localization. While data localization has not caught on like its proponents would expect to, below are the general data localization requirement in a few jurisdictions which have introduced data localization.


Australia

Australia does not have any general data localization requirements under its local law. Australia does have a robust privacy regime and this regime allows for sharing of information outside of Australian borders. While there is no blanket requirement for data localization, Australian laws do provide for certain sector-specific requirements of data localization. For example, certain categories of government generated data are subject to rules which prevent storage of such government generated data outside Australia. Also, certain consumer credit information and specific categories of health information are prevented from being stored outside Australia.


Singapore

Singapore does not have any general data localization requirements under its local law and cross border data transfer is generally permissible provided that data so transferred is subject to a similar standard of protection in countries to which data is transferred. However, data localisation does find mention in regulations with respect to specific sectors. For example, as per the Monetary Authority of Singapore’ Guidelines on Outsourcing (“Guidelines”), the use of data centres outside of Singapore, is permitted. However, the Guidelines also impose certain restrictions with respect to the kind of data centres which can be used. The Guidelines also provide that where there is an international outsourcing agreement with a service provider, banks need to confirm in writing to the Monetary Authority of Singapore that they have the right to inspect the service provider and its information, reports and any findings relating to the outsourcing agreement.


European Union (“EU”)

Similar to Australia and Singapore, the GDPR in EU also does not provide for a general data localization requirement. In fact, the GDPR contains provisions for lawful transfer of personal data outside of the EU if the data protection norms of a specific country are considered as adequate per the GDPR, and if the data controller and data processor put in place binding corporate rules and appropriate contractual clauses. However, in November 2020 the European Data Protection Board released two documents with guidance on when personal data will be allowed to flow to non-EU countries. A common view taken by European commentators is that these guidelines could possibly have the effect of data localisation.


USA

USA does not have any requirement for data localization under its national laws. USA has in fact been critical of a possible inclusion of data localization requirements under the GDPR citing inefficiency in doing business. USA has also been quite vocal in opposing the proposed PDP as well, especially with the view that there are multiple USA based financial corporations providing their services in India that would get impacted by a move toward data localization. USA has also maintained that the location of the data is not the relevant consideration in data localization, and the pertinent factor should instead be the degree of protection offered to such data, and that data security should be strengthened instead of creating geographic limitations to transfer of data. USA’s position on data localization has been one of openness and to allow free data transfer.


Conclusion


While the PDP in its current form provides, for the first time, a detailed framework for protection of personal data in India, it also leads to far too many concerns with respect to overreach by regulators and the government. The data localisation aspect of the PDP will need to be relooked at from a more detailed lens given the practical challenges it brings about. As a result of the various favourable and unfavourable views around the PDP and the examination by experts, the PDP is yet to emerge as law in India. While this is surely only a matter of time, the ultimate form in which the PDP is enacted could have potentially impact on how businesses operate.


Contributed by Samvad Partners


The above article has been authored by Ms. Nivedita Nivargi(Partner) and Mr. Kevin Robin (Associate).