Data Protection or Data Localisation

Data Protection or Data Localisation

How many times have all of us promptly shared personal information such as our name, age, mobile number, email address, home address, date of birth and other information that can personally identify us?  We have shared such information in restaurants, shopping malls, feedback forms and numerous other such places. In a country like India with almost no legal framework protecting data protection and privacy, the implications of sharing such personal information is frightening. With the exception of the Indian Information Technology Act, 2000, which has certain provisions regarding personal information, India’s legislation till recently has been silent with respect to collection and use of personal information, restrictions regarding such information and the protection of any such personal information collected.

Since then, the Justice BN Srikrishna Committee (“Srikrishna Committee“) has been formed on July 27, 2018 to fill this lacuna in law. The Srikrishna Committee submitted its report on data protection, ‘Personal Data Protection Bill, 2018’, along with the proposed legislation, to the Ministry of Electronics and Information Technology for its review. A byproduct of the ‘Personal Data Protection Bill, 2018’ has been the Personal Data Protection Bill, 2019 which was introduced in the lower house (Lok Sabha) of the Indian parliament on December 11, 2019 for the purpose of bringing about essential legislative changes surrounding safeguarding of data and personal information. This has been a major breakthrough for a country like India, where privacy was declared a fundamental right in a landmark decision by a 9 Judge bench of the Supreme Court of India in 2017. The Supreme Court,  in Justice K. S. Puttaswamy (Retd.) and Anr vs Union of India And Ors[1], recognized privacy as a constitutionally protected right. The Supreme Court held that privacy is an essential part of a person’s dignity and that privacy includes the right to be left alone. The Supreme Court also recommended that the Government put into place a robust regime for data protection.

Data Localisation 

How many of us have thought about what happens to the personal and financial information that is collected when we use our master or visa credit card or create an account on Amazon/Netflix? How is the financial and personal information processed or stored? As of today’s date, majority of such information is either partly or completely stored outside India. The provisions of the Personal Data Protection Bill, 2018 as well as the 2019 Bill regarding data localization juxtaposed against the Reserve Bank of India (“RBI“) circular regarding payment data to be stored India, envisage changing the current scenario with respect to data storage and thereby making it more robust.

Personal Data Protection Bill, 2018

With the Srikrishna Committee recommendations and the Personal Data Protection Bill, 2019, India has joined a host of other countries in the world that are demanding  data localisation. Data localisation implies that entities collecting or processing data should store such data or a copy of the same on local servers within the territorial jurisdiction of the country as well as permit the transfer of such data outside the country, subject to a reasonable level of protection being accorded to the same irrespective of where it is being transferred. The Srikrishna Committee also recommended that personal data determined to be critical will be subject to the requirement of being processesed only in India and the Central Government was to determine categories of sensitive personal data which are to be considered critical.

RBI Circular on Storage of Payment System Data

On April 6, 2018, RBI issued a circular titled Storage of Payment System Data[2] which directed all payment system providers to make sure that data relating to their payment systems should be stored in systems located within the territorial jurisdiction of India. Payment system providers had been provided a tight deadline until October 15, 2018 to comply with the same, making companies from around the world scramble to conform to  the RBI’s deadline for localisation.

Thereafter, the RBI vide certain FAQs[3] has clarified that in certain situations, data may be stored abroad as well i.e. for cross border transaction data, consisting of a foreign component and a domestic component, a copy of the domestic component may also be stored abroad, if required. The clarifications also state that the banks, especially foreign banks,  that were earlier specifically permitted to store banking data abroad, may continue to do so; however, in respect of domestic payment transactions, the data shall be stored only in India, whereas for cross border payment transactions, the data may also be stored abroad.

The RBI FAQs, for the first time also shed light on the type of data that is to be stored in India, which include end-to-end transaction details and information pertaining to payment or settlement transaction that is gathered/ transmitted/processed as part of a payment message/instruction. This may comprise – customer data (name, mobile number, email, aadhaar number, pan number, etc. as applicable); payment sensitive data (customer and beneficiary account details); payment credentials (otp, pin, passwords, etc.); and, transaction data (originating & destination system information, transaction reference, timestamp, amount, etc.).

Personal Data Protection Bill, 2019

The Personal Data Protection Bill, 2019 has received severe backlash from several persons with respect to the unfettered right that the bill provides to the government to access private data, to the extent that Justice Srikrishna himself has criticised the bill, calling it “dangerous” and a piece of legislation that could turn the country into an “Orwellian state”[4].

However, the Personal Data Protection Bill, 2019 does provide some respite to the stringent data localisation rules. Under the Personal Data Protection Bill, 2019, personal data has been sub-categorized into two categories: (i) Sensitive Personal Data and (ii) Critical Personal Data. Whilst sensitive personal data has been explicitly defined, critical personal data has been defined as such personal data as may be notified by the Central Government. The Personal Data Protection Bill, 2019 relaxes data localisation restrictions and applies them to only sensitive and critical personal data. The Personal Data Protection Bill, 2019 removes the provision for mandatory storage of all personal data in the country.

Under the 2019 bill, sensitive personal data can be transferred outside India, but such data has to be stored in India as well. Furthermore, sensitive personal data can be transferred abroad only for the purpose of processing upon the fulfilment of certain conditions, which includes obtaining explicit consent from the data principal and being in pursuance of a contract or an intra-group scheme that safeguards the data principal rights, while also ensuring liability on the data processor (fiduciary) if harm does occur. Additionally, sensitive personal data may be transferred abroad if the data is to be accorded an adequate level of protection in that jurisdiction and shall be accessible by the authorities having jurisdiction for the enforcement of relevant laws, when required.

The 2019 bill mandates that all processing of critical personal data outside India is prohibited. However, the transfer of such critical personal data is permitted to a person or entity engaged in provision of health services or emergency services in specified circumstances or to any country or entity or class of entity approved by the Central Government subject to the satisfaction of certain conditions, and where such transfer in the opinion of the Central Government does not prejudicially affect the security and strategic interest of India.

Draft E-Commerce Policy

Earlier there had been several talks, that the draft e-commerce policy being formulated by the Government also recommends localisation for data and data generated by users of e-commerce platforms, resulting in widespread concern regarding India’s data localisation requirements. However, it was later reported that Mr. Piyush Goyal, the commerce minister, held a meeting with major e-commerce players, including Amazon and Flipkart, on June 22, 2019 where he allegedly said that data protection would now be handled by the MeitY which is working on a data protection bill and that data localization would be kept out of the purview of the draft e-commerce policy[5].

Potential Reasons for Data Localisation

While the 1991 Government has largely looked towards globalisation and liberalisation, the Narendra Modi led Government has coupled this along with localisation and promotion of the domestic market. From Make in India to Startup India, the Government has created two colossal pillars for the Indian economy and one can speculate that the third pillar may very well be data.

One of the potential reasons for backing data localization is the new age idea that data is the new oil. In the background of several data related scandals such as Cambridge Analytica, governments have come to realize that protection of personal data of the country’s citizens and residents is  now an absolute requirement. Another aspect is that data localisation is essential to national security. Storing of data locally is also expected to help authorities to access information that is needed for several law enforcement measures.

Downside to Data Localisation 

To meet the requirements of the data localisation bill, organisations would need to spend massive amounts of money to set up servers locally, among other infrastructure costs. This may be a huge hurdle for existing companies already operating in India, and makes it more expensive and act as a deterrent for new ones looking to enter into India.

Furthermore, as everyone realizes the importance of data, governments, individuals and the delinquents alike, the country runs the risk of being a honeypot of personal data susceptible to data security threats and scandals.

The Road Ahead

While domestic companies such as the Reliance Group have spoken up in support of the Indian Government’s data localisation efforts, others like Facebook, Amazon, Microsoft, and Mastercard have led the way in opposing it. The Personal Data Protection law has been two years in the making, and is still sparking several charged debates across the country. 

The Personal Data Protection Bill, 2019 is to be reviewed by a Joint Parliamentary Committee, which was to be heard on January 16th, 2020. Subsequent to the committee’s recommendations, the bill is likely to be tabled in the Lok Sabha, after which it will be sent to the Rajya Sabha and then to the President for his assent before it becomes a law, thereby completing its treacherous uphill climb of becoming law. How the final form of the bill would emerge and whether it would remain unscathed is anyone’s guess; a question whose eventual answer will imply major upheavals for the way businesses fundamentally operate.

The Data Protection Bill, 2021 has been withdrawn with effect from August 3, 2022 and is proposed to be replaced with a new legislation. The Data Protection Bill, 2021 earlier replaced the Personal Data Protection Bill, 2019.