Data Localisation under PDP- A Shot in the Dark
Recently, the European Union expressed reservations about the Data localisation policy under the draft Personal Data Protection bill of 2018 proposed by the government of India.[i] The PDP bill is being described as the Indian version of General Data Protection Regulation (GDPR), a European Union framework of data protection that was brought in May 2018. It has some striking similarity with the GDPR. The concept of data localisation is undoubtedly one of the most hotly debated and controversial aspects of this draft bill. This article will be dealing with the concept of data localisation along with its impact on India.
India has a long history of drafting laws to shield its corporations. However, in the long run, it is the Indians who suffer. That is what will happen if the Central government goes on with its plan to force all the companies doing business in India to store all its customer data locally. The Justice Srikrishna committee’s report on Data Protection created a big fuss when it talked about restricting the transfer of personal data outside India. This is the concept of data localisation. It means that the data should be stored within the borders of a country in which it was generated. Citing data protection as the need of the hour, in chapter six of the report, the committee explains reasons such as preventing foreign surveillance, the safety of data amongst others to favour data localisation.[ii] In simple language, the committee wanted the law enforcement agencies to gain easier access to this data. The bill requires at least one serving copy of the data being collected by the companies to be stored on a data Centre situated in India.[iii] The bill also requires the central government to notify categories of personal data as critical personal data that shall only be processed in a server or data Centre located in India.[iv] This means that once the bill will be enacted, foreign giants such as Google, Facebook, Twitter, LinkedIn, Amazon among others will be forced to host the data of their users in India. But scrutinizing it minutely, one might come to a conclusion that on a large scale, data localisation does more harm than good in India and is very inefficient.
Why Data Localisation is, in fact, a Bad idea.
The first argument against it is that it creates the danger of monopolization in various sectors. The small and medium-sized firms in India who use cloud computing for their businesses will have to deal with increased costs to alter their servers. Only a few firms in a sector will have the expertise and capital to create huge/secure data centres. Though the committee goes on by saying that the markets will bear the costs but it nowhere tells the reasons as to how would it do so. This is the reason why big payment firms like Paytm and PhonePay are supporting the localisation move while comparatively smaller firms like Freecharge and Mobikwik are on the other side.[v] This also goes against the economic policies of the current government which also include promotion of startups. Many startups which are willing to invest in the Indian market, however, might not have such large capital to set up a data storing or processing unit in India. This move will act as a demoralizing factor and might force them to think twice before expanding their business in the Indian market.
The second point against localisation contradicts the very base of the committee’s report which deals with the security of data. Restricting the service providers to save data within a limited geographical territory increases the threat to the data security. A 2017 Cyber Security report by Telstra shows that India is one of the most targeted and vulnerable countries to cyber security attacks.[vi] Just last year stolen data of over 6,000 Indian businesses were up for sale on the darknet.[vii] Thus, the concern of privacy still remains.
Data localisation and Indian law
In the recent judgment of Justice Puttaswamy v. Union of India, privacy was cited as an intrinsic fundamental right under Article 21 of the Indian Constitution.[viii] The draft bill aims to stop domestic or foreign surveillance of user’s data but in reality, it is nowhere close to achieving its desired aim. Often surveillance efforts are directed in hacking into data centres abroad. Thus, data on domestic data centres will not prevent foreign agencies from conducting surveillance.[ix] Domestic surveillance, on the other hand, is also a concern. Since Edward Snowden’s disclosure on NSA mass surveillance on its citizens, numerous other cases have come into picture worldwide. Government surveillance threatens democracy and individual rights.[x] If data is centralized at one place in the territory of a country, it will give the government the upper hand in dealing with the domestic businesses. This gives scope to favouritism and rules out a level playing field.
The committee fails to address some concerns of mandatory provisions like that of section 91 of the Code of Criminal Procedure. The section talks about access to the investigating officer any document or other thing needed for the purpose of investigation, trial or other proceedings under this code. While imposing data localisation, uncertainty remains as to how this particular data would be obtained by police authorities.
Impact on Indian Economy
A recent study has shown that Localisation generally has negative impact on the growth of an economy for e.g. China (-1.1 %) Vietnam (-1.7%), It also talks about the negative results data localisation would bring on Indian Economy.[xi] Various other studies have also shown that India will suffer a loss of 11% of the average monthly salary per worker along with a considerable loss of about 1.4% to 1.9% in domestic investment.[xii]
All the above-mentioned factors along with the ones discussed below will ultimately do more bad than good to Indian Economy. There is a growing concern that data localisation measures will result in trade conflicts. The foreign companies might introduce reciprocal localisation policies for India that forces Indian companies to store user data within that country leading to legal conflicts. There are growing speculations that the localisation might hamper the ongoing trade deals with the European Union with the EU looking for alternative markets for evading additional costs of localisation.[xiii] A report of the European Centre for International Political Economy shows the costs incurred on data localisation measures.[xiv] It estimated that if the European Union introduces data localisation then its GDP would go down by 0.4 per cent, investment by 3.9 per cent and it would suffer welfare costs of around 193 billion USD.
India-US Data-Sharing Pact
8 out of the top 10 most accessed websites in India are owned by the US. India still relies on Mutual Legal Assistance Treaty (MLAT) process to obtain data stored by the US companies. US companies are only allowed to share data upon receiving a federal warrant from the US authorities. This is an outdated and time consuming process. Recently, the US Congress passed Clarifying Lawful Overseas Use of Data (CLOUD) Act which allows companies to share data directly with certain foreign governments. The foreign government is required to certify that the state has strong data protection mechanisms and respect for due process and rule of law. The draft bill in India talks about principles of legality and proportionality for data processing in the national security matters and investigation of crimes but fails to propound procedural rules needed to enforce these principles.
Another key point which goes against it is that it would create unnecessary costs for the business personnel and customers along with uncertainties that will ultimately hamper business and investments in India.
The recent judgements by Hon’ble Supreme court of India in the cases of KS Puttuswamy[xv] and Aadhar[xvi] have definitely made privacy as a thing of utmost concern for an individual. The steps taken by the government in safeguarding the privacy of individuals through the draft Data Protection Bill is also a right step in this regard. However, the concept of data localisation under the draft bill is a flawed arrangement and nowhere close to safeguarding an individual’s privacy.
It will create an unnecessary trade barrier which will harm the Indian economy. Moreover, there is no evidence to prove that data localisation will make the data of individuals secure. The bill is also not clear on what constitutes critical personal data and hence it requires more clarity.
The government should, instead, create a mechanism for local storage of important data such as data pertaining to the defence sector and national interest along with the data of strategic governmental interest. For other data, it can create a special safeguard mechanism for safekeeping of Indian data on foreign land.
The only good it will do is that it will reduce the cost of Indian law enforcement agencies while harming the growth of the nation in many other ways. So, it’s better to go away with such provision rather to struggle with it.
[i]European Commission flags concerns over India’s data localisation norms, trade barriers, FINANCIAL EXPRESS, November 22, 2018.
[ii] The Personal Data Protection Bill, 2018, Section 40(1).
[iv]The Personal Data Protection Bill, 2018, Section 41.
[v]Pratik Bhaktal, Local firms back RBI’s October 15 deadline for data localisation, GADGETS NOW, Oct 8, 2018.
[vi]Cyber Security Report 2017, TELSTRA https://www.telstra.com.au/content/dam/tcom/business-enterprise/campaigns/pdf/cyber-security-whitepaper.pdf.
[vii] Priyanka Sangani, Hacker puts info of over 6,000 Indian businesses up for sale in massive data breach, THE ECONOMIC TIMES, October 3, 2017.
[viii]Justice K.S. Puttaswamy and Ors. vs. Union of India (UOI) and Ors. AIR 2017 SC 4161.
[ix]Tatevik Sargsyan, Data Localization and the Role of Infrastructure for Surveillance, Privacy, and Security, INTERNATIONAL JOURNAL OF COMMUNICATION 10(2016), 2221–2237.
[x]Conniry, Krystal Lynn, “National Security, Mass Surveillance, and Citizen Rights under Conditions of Protracted Warfare”. Dissertations and Theses Paper 3204.
[xi]Matthias Bauer, Hosuk Lee-Makiyama, Erik van der Marel, & Bert Verschelde, The Costs of Data Localisation: A Friendly Fire on Economic Recovery, ECIPE Occasional Paper No. 03/2014.
[xiii] Surabhi Agarwal, Datalocalisation clause may hurt trade pacts between European Union and India, says Ralf Sauer, December 5, 2018.
[xv]Justice K.S. Puttaswamy and Ors. vs. Union of India (UOI) and Ors. AIR 2017 SC 4161.
[xvi]Justice K.S Puttaswamy (Retd.) and Anr vs. Union of India (UOI) and Ors, 2018 SCC SC 1642.
By Raja Reeshav Roy and Ankit Shubham, 3rd Year Students, National Law University Jodhpur (NLUJ)