One of the topics that have been dominating the headline globally nowadays is data privacy. While the free flow of personal data in the global digital landscape has been around for quite some time now, the Government, only lately, has been proposing to bring in sweeping changes in the legal framework governing data privacy.

The Facebook–Cambridge Analytica case in early 2018 put the limelight on the fragility of personal data protection and doubts around safe usage of consumer data by institutions. Around the time the world was trying to fully grapple with the implications of this case, the data governance plan in various jurisdictions, including India, started showing up. Legislation like the European Union’s ‘General Data Protection Regulation’ was enforced on May 25, 2018 to strengthen the rights of EU citizens over their data. Likewise, in India, the committee under the chairmanship of former Justice B. N. Srikrishna published a report on July 27, 2018 titled ‘A Free and Fair Digital Economy Protecting Privacy, Empowering Indians’. The Committee also submitted the draft ‘Personal Data Protection Bill, 2018’ (“Data Protection Bill“) to the Government which aims to protect the autonomy of individuals in relation with their personal data and inter alia lays down norms for cross–border transfer of personal data and data localization.

What is data localization?

Data localization, a relatively recent concept for India, generally refers to requirements for the physical storage of data within a country’s national boundaries although it is sometimes used more broadly to mean any restrictions on cross border data flows. From a trade perspective, restrictions on data flows can be defined as all those measures that raise the cost of conducting business across borders by either mandating companies to keep data within a certain border or by imposing additional requirements for data to be transferred abroad.

Data localization in India: Scope

Even before the Data Protection Bill was submitted, data localization has been a significantly debated topic after the Indian Government and regulators proposed to introduce regulations in specific sectors mandating housing of individual data within the country. In April 2018, the Reserve Bank of India (“RBI“) issued a directive requiring all system providers and intermediaries operating in the payments sector to comply with data localization norms viz. compulsory storage of data relating to payment systems in India. Only the foreign leg of a payment transaction is permitted to be stored outside India. Similarly, the Ministry of Health and Family Welfare (“MoHFW“) last year issued for public comments a draft of ‘Digital Information Security in Healthcare Act’ (“DISHA“). DISHA give rights to the National Electronic Health Authority, proposed to be established thereunder, to formulate standards, operational guidelines and protocols for the generation, collection, storage and transmission of digital health data. Later, MoHFW submitted DISHA to the Ministry of Electronics and Information Technology with the intent for it to be subsumed in the upcoming data protection framework, which would apply in all domains including health. Likewise, the latest Data Protection Bill requires a copy of the transferred personal data to be stored in a server or data centre located in India. In addition, the Data Protection Bill prohibits processing of critical personal data in a server or data centre other than the ones located in India. Further, in August 2018 the Government released draft amendments to the Drugs and Cosmetics Rules, 1945 for public comments which proposes to regulate sale and distribution of drugs through e-pharmacy. One of the restrictions provided in the said draft rules is that the data generated or mirrored through e-pharmacy portal shall not be sent or stored outside India. The said rules are yet to be finalized.

Other jurisdictions on data localization

While this concept may be new to India, other countries such as China and Russia already have extensive sets of data localization policies. The Cybersecurity Law of the People’s Republic of China provides that the personal information and important data collected by CII (critical information infrastructure) operator during their operations within the territory of PRC shall be stored domestically, and the cross-border transfer of such data by a CII operator for business needs shall be subject to security requirements. Similarly, Russian Law obligates all operators of personal data to ensure recording, systematization, accumulation, storage, amendment and extraction of personal data pertaining to Russian citizens with the use of data bases located in the territory of the Russian Federation.

Some countries have local storage requirements in specific sectors. For instance, in Canada, the provinces of British Columbia and Nova Scotia have enacted laws that require personal information held by public institutions to stay in Canada – with only a few limited exceptions. Another example is Australia which prohibits taking health records outside the country. Further, Indonesia mandates an electronic service provider that provides ‘public services’ to place their data and disaster recovery centres in Indonesia.

Several other jurisdictions are following the trend and bringing about new restrictions around data transfer. Vietnam passed the Law on Cybersecurity which requires both foreign and domestic online service providers to store personal data of Vietnamese end-users in Vietnam, surrender such data to Vietnamese government authorities upon request, and supervise user posts to remove ‘prohibited’ content. Algeria also has passed a law in February 2018, requiring electronic commerce operators conducting business to register with the government and to provide services from a data center located in Algeria.

The tussle

Even with the global trend towards data localization requirements, in India significant debate has triggered amongst stakeholders, corporations and other countries. The supporters favouring mandatory localization cite reasons such as prevention of foreign surveillance, effective law enforcement, jurisdiction of Indian authorities over data breaches and strengthening of the Indian economy. On the other hand, the United States Trade Representative in its 2019 National Trade Estimate Report on Foreign Trade Barriers has suggested that these requirements in India will raise costs for suppliers of data–intensive services by forcing the construction of unnecessary, redundant data centers and prevent local firms from taking advantage of the best global services available.

Despite many such reservations expressed against India’s move towards data localization and resistance from foreign players in Indian market, the Indian regulators seem unwavering. The RBI has ensured that global payment system providers comply with its requirement to house payments related data in India. The Data Protection Bill is also likely to be introduced in the Parliament in the near future. Furthermore, earlier this year, the Department of Promotion of Industry and Internal Trade issued an early draft of National eCommerce Policy which also proposes restrictions on cross–border transfer, storage and use of Indian user data generated from social media, search engines, etc.

Summation

The concept of data localization is being already used as a tool by a number of countries. From the Government’s point of view, question of local storage of personal data is intrinsically connected to the enforcement of domestic law generally and, in particular, the data protection law itself. In India, rather than a complete bar on data transfer, which could hamper continuity of many businesses, the Government is targeting the highly sensitive or critical data in order to balance the cross-border flow with India’s interests in effective enforcement of data protection laws. On the other hand, in addition to the added costs of data storage, security is a large concern when all of the data is stored in one country. The Government would have to work towards developing robust infrastructure and self–reliant digital security competencies within India for successful implementation of these laws.

Author:

Atima Mukherjee, Senior Associate

1. Rishab Bailey and Smriti Parsheera, Data localisation in India: Questioning the means and ends, National Institute of Public Finance and Policy Working Paper No. 242 (October 31, 2018) available at: https://www.nipfp.org.in/media/medialibrary/2018/10/WP_2018_242.pdf (last accessed on August 20, 2019).

2. Martina F. Ferracane, Restrictions on Cross-Border data flows: a taxonomy, European Centre for International Political Economy Working Paper No. 1/2017 available at http://popsdev.org/wp-content/uploads/2018/03/Restrictions-on-cross-border-data-flows-a-taxonomy-final1.pdf (last accessed on August 20, 2019).

3. Ministry of Health and Family Welfare, Data Transfer of Digital Health Records (July 16, 2019) available at: http://pib.gov.in/PressReleaseIframePage.aspx?PRID=1578929 (last accessed on August 20, 2019).

4. The Central Government reserves the power to categorize what would constitute as critical personal data.

5. Susan Ning and Han Wu from King & Wood Mallesons, ICLG to: Data Protection Laws and Regulations available at: https://iclg.com/practice-areas/data-protection-laws-and-regulations/china (last accessed on August 19, 2019).

6. King & Spalding, Data Localization in Russia: Now Backed with Big Fines (June 21, 2019) available at https://www.jdsupra.com/legalnews/data-localization-in-russia-now-backed-18981/ (last accessed on August 19, 2019),

7. Martina F. Ferracane, Restrictions on Cross-Border data flows: a taxonomy, European Centre for International Political Economy Working Paper No. 1/2017 available at http://popsdev.org/wp-content/uploads/2018/03/Restrictions-on-cross-border-data-flows-a-taxonomy-final1.pdf (last accessed on August 20, 2019).

8. Personally Controlled Electronic Health Records Act, 2012.

9. Zacky Zainal Husein and Muhammad Iqsan Sirie from Assegaf Hamzah & Partners, ICLG to: Data Protection Laws and Regulations available at: https://iclg.com/practice-areas/data-protection-laws-and-regulations/indonesia (last accessed on August 19, 2019).

10. Jeff Olson and Mai Phuong Nguyen, Vietnam Quick to Enforce New Cybersecurity Law (March 06, 2019) available at https://www.hldataprotection.com/2019/03/articles/international-eu-privacy/vietnam-quick-to-enforce-new-cybersecurity-law/ (last accessed on August 20, 2019).

11. United States Trade Representative, 2019 National Trade Estimate Report on Foreign Trade Barriers available at https://ustr.gov/sites/default/files/2019_National_Trade_Estimate_Report.pdf at p. 9 (last accessed on August 20, 2019).

 12. United States Trade Representative, 2019 National Trade Estimate Report on Foreign Trade Barriers available at https://ustr.gov/sites/default/files/2019_National_Trade_Estimate_Report.pdf at p. 253 (last accessed on August 20, 2019).