While data localization is beneficial to India’s national security and privacy goals, business efficiency should also be kept in mind.
By Abir Roy
In line with the previous versions, the proposed Data Protection Bill, 2021 (2021 Bill) by the Joint Parliamentary Committee (JPC) has advocated for data localization and emphasized India’s strategic objectives related to national security, privacy and building of a domestic data economy. Clauses 33 and 34 of the 2021 Bill provide for data localization and conditional cross-border data transfers. The JPC report also recommends formulating comprehensive data localization policies. It gives a touch of retroactive effect to the provision and recommended that the government take concrete steps to ensure that a mirror copy of the sensitive personal data (SPD) and critical personal data (CPD) already held with foreign entities is mandatory to India in a timely manner.
Under Clause 33, the 2021 Bill specifies that SPD can be transferred outside of India subject to certain conditions being met; however, they will be stored in India itself. CPD can only be processed in India, but the term is still pending definition. Clause 34 adds significant granularity to the existing governance process of cross-border data transfers under Rule 7 Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011. Under the 2021 bill, cross-border data transfers are only allowed with explicit consent of the data principal has been taken. In addition, such transfers should be made pursuant to a contract or group arrangement approved by the Authority in consultation with the Center, and will be assessed on the basis of public interest considerations, and appropriate data protection measures should be taken by the data fiduciary consistent with foreign government laws and the availability of enforcement powers.
Speaking of the financial sector regulator, RBI, see its 2018 circular, mandatory data localization for payment systems data. It even took enforcement action against MasterCard and Amex for non-compliance with them.
Data localization is not unique to India and several countries have integrated it. US law requires defence-related data to be located, Australia has sectoral regulations for localization of health data, Russia requires the localization of all personal data of its citizens, China requires data on critical information infrastructure and important personal information to be located, Indonesian law requires localization of all public service data, and the EU allows conditional data transfers. Many bilateral and multilateral agreements also exist. These include countries that commit to identical data protection standards and commitments on cross-border data transfers and data localization, such as the Osaka Track (2019), The Clarifying Lawful Overseas Use of Data (CLOUD) Act (2018), Comprehensive and Progressive Agreement for Trans -Pacific Partnership (2018), Digital Economy Agreement (DEA), (2020), among others.
The main argument against data localization is that it will increase operating costs. According to a report from the Leviathan Security Group, data localization practices increase the cost of hosting data by 30-60% at the enterprise level as centralized data storage and processing is possible online thanks to the economies of scale of cloud computing and a seamless global internet. When governments dismantle this, the costs of doing business and compliance skyrocket. Higher costs hinder market entry for start-ups – operating on unit economy and EBITDA – suppressing innovation and reducing long-term competitiveness.
In addition, the Meta Platform has stated in its filing with the U.S. Securities and Exchange Commission that data localization in India will increase operating costs and complexity in terms of service delivery due to the extensive and layered process of government approval and consultation required for cross-border retransmissions. of data under the 2021 bill. The government approval requirement for the transfer of SPD is seen as a problem by many start-ups.
Following the changing international relations, the JPC has pushed for data localization based on data sovereignty and democratic control over data for enforcement action. The draft e-commerce policy in India also proposes data localization measures to keep data secure, reap economic benefits and create employment. The 2018 Justice Srikrishna Commission report emphasized leveraging data and driving the growth of AI and technology through data localization.
According to a study by the US Chamber of Commerce on the benefits of data centers, they create an average of 1,700 direct and indirect jobs and generate $243.5 million in output within a state. Putting this in the context of India, where India is positioned as a strategic and important digital market, data localization would require capital investment from foreign companies to set up data centers in India with simultaneous job creation, potentially outweighing the impact of data localization.
The data localization debate is between sovereignty and business efficiency. While industry regulators like RBI have made it mandatory, the arguments of both sides deserve attention. It will be interesting to see how the government addresses their concerns and the interests of the industry.
The writer is founder and advocate, Sarvada Legal.
This post Data Protection Act, 2021: The Data Localization Conundrum was original published at “https://www.financialexpress.com/opinion/data-protection-bill-2021-the-data-localisation-conundrum/2462102/”