The Personal Data Protection Bill, 2018 is based on the Justice Sri Krishna Committee Report on Data Protection. This piece elaborates upon three key points before proposing an alternative approach to data localisation. Firstly, the meaning of data localisation and the provisions of the bill pertaining to data localisation. Secondly, if it is feasible to implement data localisation in India. Lastly, analysing data localisation with respect to the rights and interests of various stakeholders involved.
The bill provides for two kinds of data, (a) critical and (b) non-critical personal data. The former ‘shall only be processed in a server or data centre located in India.’ For the latter requirement of mirroring is provided i.e. at least ‘one serving copy of personal data’ shall be stored in a server located in India. It nowhere provides the definition of critical personal data and the criteria to identify critical personal data. Two members of the Committee itself took a dissenting stance stating that the data localisation principle is “not only regressive but against the fundamental tenets of our liberal economy.”
Though data localisation has been hailed as a path-changing step for India’s evolving digital infrastructure and economy, its cons outweigh its pros. To begin with, there are alternative effective methods of sharing data for enforcement purposes. The Clarifying Lawful Overseas Use of Data (CLOUD) Act, 2018 enacted by the U.S. Government will be a major blow to Indian data localisation. It provides for executive agreements through which the countries can access data of its nationals or citizens stored in another country irrespective of that country’s privacy laws.
Instead of data localisation, India can take benefit of the CLOUD Act. India, being home to so many digital users, is a strong contender to be a signatory under the CLOUD Act. The second problem with the bill is that it nowhere provides for what would be interpreted as critical personal data. The report recommends that critical personal data would relate to aadhaar number, biometric data, genetic data etc. leaving the door open for interpretation of critical personal data to a great extent. At one place, the report provides critical personal data would be ascertained by the Government. This arbitrary power in the hands of the state can endanger the economic growth prospects of India.
For a developing economy like India, localisation of data might prove to be a huge setback. It might affect small and medium sized companies. The domestic startups that could leverage their services through well-established foreign cloud services might struggle a bit. They will have to spend a lot in creating or renting newly built infrastructure. Resultantly, costs will be incurred by the service providers and ultimately trickle down to the customers. The requirement of processing of data in India is restricted to critical personal data; there is still a requirement of mirroring the other data.
The report stipulates that the data security shall be enhanced by data localisation. The technology used by global companies to protect the data is ensured through massive investments in data security. India based data storage providers might not adhere to the same global standard because of the competitive need to draw customers, fewer financial resources and lesser technological expertise. Besides, the bill does not provide for any minimum standard that the companies shall adhere to protect data.
Lastly, data localisation might lead to domestic surveillance. The committee provides for the requirement to protect the privacy and security of personal information against non- governmental actors. There is no law in place to protect the privacy of the people against the state action. Since the data would be accessible by the Government there is a need to have proper law in force to check the surveillance.
Data Localisation and Interest of Stakeholders
Data localisation requirement does not harmoniously serve the interest of the stakeholders on three counts:
Firstly, with regard to the internet users- prima facie, the impression that data stored in the territory of India would be protected from any foreign transgression is contradicted by the requirement of mirroring the data. One copy of data shall still remain in the foreign territory. The critical personal data processed only in India would be at risk due to the absence of appropriate surveillance laws.
Secondly, with regard to the companies- it would put an additional burden on the companies doing business in India resulting in the creation of entry barriers for the new entrants. Additionally, the definition of critical personal data has been set to be decided by the executive leaving the companies at the perils of arbitrary state action.
Lastly, the nation-state- the rationale behind data localisation being a facilitator for enforcement is that the physical location would be a key factor for determining the jurisdiction in order to access data. This must be read with the costs and the freedom of the digital economy as well as the problems of domestic surveillance.
With most of the big data companies like Google, Apple, Facebook incorporated in the U.S., CLOUD Act can be an effective solution to access of data stored in the U.S. India can be a signatory under the CLOUD Act and access data of its citizens through executive agreement. Another solution as proposed above is model contracts formulated by the Data Protection Authority. This approach is more feasible as compared to data localisation.
Furthermore, the approach followed by the E.U. under G.D.P.R. can be taken into consideration. It provides for adequacy test under which the commission allows transfer of data, without authorisation, to those countries that ensure ‘adequate level of protection’. There are several factors through which Commission under the E.U. law identifies adequacy of the level of protection. A parallel approach can be followed in India wherein the Data Protection Authority can provide for the same.
Summing up, there is a need to balance the interests of the people as well as the economic development of the state. None of the two can be sacrificed at the altar of the other. With campaigns like Digital India and Startup India at the forefront of this requirement under the perspective data protection law should be cautiously implemented and should be in harmonization with the fundamental rights of the people.
(These are personal views of the authors)
Image 1: Scroll.in
Image 2: Hindustan Times
Image 3: Orissa Post