Free flow of data has been a hallmark of the information revolution of the past two decades. Cross-border data flows have shrunk the world, allowing people across the globe to have the same user experience on the Internet.
But the era of free data flows seems to be coming to a close. Since 2015, a number of countries have put in place, or are thinking about, data localisation and on-soil restrictions. The digital business majors driving cross-border data flows are increasingly important in the global economy, and find themselves in regulatory crosshairs for issues like fake news, illegal content, etc.
India, too, has a number of laws on the anvil that speak of data localisation and on-soil presence requirements. It is useful to understand the motivations underpinning calls for data localisation and on-soil requirements in order to predict the final state these regulations will end up in.
Defining Data Localisation
There is no singular definition of data localisation. In effect, it is the opposite of ‘digital globalisation’, which refers to the free cross-border movement of data.
Localisation usually comprises requirements for the physical storage of data within a country’s national boundaries. Sometimes, the term localisation is used more broadly to mean restrictions on cross-border data flows. Under this broader approach, data localisation may include all measures that “encumber the transfer of data” across national borders, such as: preventing information from being sent outside the country; requirement to obtain individual consent before making the transfer; storage of a local copy of the data; and imposing taxes on data exports.
Data localisation can also be demarcated by its effect – strict or conditional. The former includes requirements of local storage or processing of data; in extreme cases, a complete ban on transferring the data abroad. For conditional restrictions, the transfer of the data is made subject to the satisfaction of conditions. These conditions may be applicable to the persons undertaking the transfer (such as the need to obtain the individual’s prior consent) or to the transferee country where the data is being sent.
For our purpose, we have used ‘data localisation’ to mean the mandatory requirements of in-country storage. That is to say, the data must be retained only on domestic servers, or (in a slightly less stringent version) data mirroring – which compels that at least one copy of the data is stored locally.1
Defining on-soil incorporation is much easier – it means that the regulated entity must be incorporated in-country, under relevant corporate laws. By definition, this makes such entities subject to local laws, governing foreign exchange, foreign investments, labour laws and (significantly) tax.
Data localisation in draft Bill
One of the more contentious issues in the law Bill are the provisions pertaining to “data localisation”. The phrase, which can refer to any restrictions on cross-border transfer of data (for instance, requirements to seek permission for transfer, the imposition of taxes for foreign transfers of data, etc.), has largely come to refer to the need to physically locate data within the country.
The PDP Bill enables the transfer of personal data outside India, with the sub-category of sensitive personal data having to be mirrored in the country (i.e. a copy will have to be kept in the country). Data processing/collecting entities will however be barred from transferring critical personal data (a category that the government can notify at a subsequent stage) outside the country.
These provisions have been changed from the earlier version of the draft Bill, released by the Justice Srikrishna Committee in 2018. The 2018 draft imposed more stringent measures that required both personal and sensitive personal data to be mirrored in the country (subject to different conditions).
The move to liberalise the provisions in the 2019 version of the Bill is undoubtedly welcome, particularly for businesses and users. Liberalised requirements will limit costs to business and ensure users have greater flexibility in choosing where to store their data. Prima facie, the changes in the 2019 draft reflect a more proportionate approach to the issue as they implement a tiered system for cross-border data transfer, ostensibly based on the sensitivity/vulnerability of the data. This seems in accord with the Supreme Court’s dicta in the 2017 Puttaswamy case, where the Court had made it clear that an interference in the fundamental right to privacy would only be permissible if inter alia deemed necessary and proportionate.
Purpose of localisation
There are broadly three sets of arguments advanced in favour of imposing stringent data localisation norms: Sovereignty and government functions; referring to the need to recognise Indian data as a resource to be used to further national interest (economically and strategically), and to enable enforcement of Indian law and state functions. The second claim is that economic benefits will accrue to local industry in terms of creating local infrastructure, employment and contributions to the AI ecosystem. Finally, regarding the protection of civil liberties, the argument is that local hosting of data will enhance its privacy and security by ensuring Indian law applies to the data and users can access local remedies.
But if data protection was required for these purposes, it would make sense to ensure that local copies were retained of all the categories of personal data provided for in the Bill (as was the case with the previous draft of the law). In the alternative, sectoral obligations would also suffice (as is currently the case with sectors such as digital payments data, certain types of telecom data, government data, etc.).
Protecting user privacy?
In a 2018 working paper published by the National Institute of Public Finance and Policy, we pointed at the fallacies in the assumption that data localisation will necessarily lead to better privacy protections. We note that the security of data is determined more by the technical measures, skills, cybersecurity protocols, etc. put in place rather than its mere location. Localisation may make it easier for domestic surveillance over citizens. However, it may also enable the better exercise of privacy rights by Indian citizens against any form of unauthorised access to data, including by foreign intelligence.
Overall, the degree of protection afforded to data will depend on the effectiveness of the applicable data protection regime.
We note that insofar as privacy is concerned, this could be equally protected through less intrusive, suitable and equally effective measures such as requirements for contractual conditions and using adequacy tests for the jurisdiction of transfer. Such conditions are already provided for in the PDP Bill as a set of secondary conditions (the European Union’s General Data Protection Regulation too uses a similar framework).
Further, the extra-territorial application of the PDP Bill also ensures that the data protection obligations under the law continue to exist even if the data is transferred outside the country.
If privacy protection is the real consideration, individuals ought to be able to choose to store their data in any location which afford them the strongest privacy protections. Given the previously mentioned infirmities in the PDP Bill, it is arguable that data of Indians will continue to be more secure if stored and processed in the European Union or California (two jurisdictions which have strong data protection laws and advanced technical ecosystems).
Data Localisation’s History in India
The regulatory interest in storing digital data locally has gained steam in recent times, but there were always laws that required local storage.2
As far back as 2007, the terms of the unified telecom licence agreement required Indian telecom service providers not to transfer certain subscriber information outside India.3 As per India’s 2013 companies law, Indian registered companies are to maintain their books of accounts for audit and inspection only in India.4 The Insurance Regulatory and Development Authority of India mandates that all original policyholder records should be maintained in India.5 In the public contracting realm, 2017 Guidelines for Government Departments on Contractual Terms Related to Cloud Services6 required all government departments to include localisation provisions in their contract while obtaining cloud services.7
These laws were, and still are, fairly controversy-free. This may be because they are fairly clear, limited and targeted applications of the principle of data localisation, with the intent behind them clear to those covered by the regulation. This is worth keeping in mind, as we look to more recent laws that attempt data localisation.
Also Read:- How To Prepare For Group Discussion Tips
IV. Faster Pace Since 2018
Data localisation as an element of regulatory data protection has come to the fore globally in the past two years. The EU’s General Data Protection Regulation (“GDPR“) came into force in May 2018. While GDPR does not restrict data flow, it imposes ‘adequacy’ and other tests on transfer of data abroad.
In India, too, since early 2018, data localisation measures and proposals have sped up substantially. An obvious spur to regulation was the Indian Supreme Court’s 2017 ruling that Indian citizens have a fundamental right to privacy.8 The court recognised informational privacy as a facet of the right to privacy, and ordered the government to put in place a data privacy regime.
A Draft Personal Data Protection Bill, 2018 (“Draft Bill“)9 then proposed mandating the storage of ‘one serving copy’ of all personal data10 within India. This Bill also proposes to empower the central government to classify any personal data as ‘critical personal data’ to be processed exclusively in India.11
Localisation restrictions have also been placed on payment data. On April 6, 2018, the Reserve Bank of India (“RBI“) issued a circular12 mandating all payment system providers to store payment data locally only in India.13
A draft e-Commerce Policy (“e-Commerce Policy“)14 was released, purportedly addressing issues in the Indian e-commerce ecosystem. Interestingly, this e-Commerce Policy proposes data localisation measures as a means to keep data secure, derive economic benefits from it and create jobs within India. A proposed amendment to the Information Technology (Intermediary) Rules15 requires intermediaries having more than 50,000,000 users in India to be registered and incorporated under local laws. Most recently, in September 2019, the RBI has floated a discussion paper proposing to regulate payment aggregators and payment intermediaries.16 This, too, moots local incorporation requirements for all intermediaries, including pure-technology providers who facilitate payments to merchants.
|Data Localisation – What’s Changed and What’s on the Horizon|
|Localisation Requirement||Targeting||What You Need To Do|
|In-country storage of all payment data.||All entities collecting, processing or storing payment data.||
|In-country storage of all critical data.||All entities collecting, processing or storing critical data.||
|Mandatory local incorporation.||Online intermeddlers with more than five million users.||
|Mandatory local incorporation.||E-commerce players of all sizes.||
|Mandatory local incorporation.||Payment intermediaries and aggregators.||
The Indian government remains keen on data localisation and on-soil requirements. Reasons such as law enforcement and data protection are relevant, but we must be conscious of economic imperatives too.
Unlike law enforcement and data privacy concerns where technical alternatives to data localisation or on-soil incorporation are (comparatively) easier to champion, there is little by way of ‘technical’ alternatives when the regulatory aim is higher tax receipts. (Of course, one can challenge the assumption that data localisation will actually result in higher tax collection or greater economic growth.)
It is also useful to identify different ‘flavours’ of data localisation with varying objectives. Mirroring data on a local server, adequacy measures for data stored overseas, data encryption, and limiting critical data transfer lend themselves to concerns of data privacy and law enforcement. On the other hand, measures such as on-soil incorporation mandates and storing data exclusively in India may suggest that the government is also looking to the (so-called) economic benefits of data localisation.
Also Read:- How To Prepare For Group Discussion Tips