Usage and coverage of the internet have been deemed to be a mark of a country’s progress. As a result of this digitization, the notion of data privacy has taken on critical relevance in today’s digital realm. This is clear from the focus that governments worldwide, including India, have placed on adopting data privacy regulations. While legislations such as the General Data Protection Regulation (“GDPR”) has served significantly in this regard, politicians still do not deem them sufficient. As a result, data localization has become a serious policy concern in several nations, including India. Data localisation being the simplest wing of data protection as a whole, is guarding the flow of data especially cross border transfers. With rise in internet piracy, cyberspace hackings, ever increasing cyber-crimes and independency of data across borders, the governments of various developing nations including India has felt the need to protect the cyberspace in their countries. This is done through personal data protection laws which emphasise on localisation of certain data, significant to their sovereignty to keep it unique and protected in their nation’s jurisdiction. Indian government has diverted its attention to the development of a framework in this regard due to which several policy debates have been happening particularly focusing on the benefits and drawbacks of restricting data flow. This cybersecurity issue intersects with data localization efforts for cyber resilience. If data is only stored on one server, anyone with physical access to that server may be able to make that data inaccessible. Because disconnecting or deleting the server would also affect the availability of other data, this may be a blunt instrument. However, for particular data kinds, this cyber resilience viewpoint may serve as an incentive for either exclusive or non-exclusive data localization requirements. More broadly, data localization is being explored with the explicit goal of increasing resilience in the event that a nation is purposefully or mistakenly shut off from the global Internet, as access to data will be heavily reliant on its infrastructure in such an event. The Indian government has identified four overarching goals for enacting the data localization requirements, including (i) making access to the personal data easier and more convenient for the purpose of regulating the country, (ii)enhancing economic and employment growth, (iii) restricting trade surveillance and other data flow checks from other nations (iv)Initiating data protection laws implementation and a better framework overall. However, it has not been explained how such a strict policy on data localization will enable the achievement of these goals (without impeding the cross-border flow of data, which is vital for globalisation and progress). This paper thus analyses the need for such a policy in the country and a guide to Indian government to realise the growing concern of data protection.
WHY DATA LOCALISATION?
The advent of industrialisation has led to the changing patterns of business across the globe and thus eventually in India too. The free flow of cross border data across the nations by the means of multinational companies and their outlets in various countries, internet in totality etc. In India too, medium and small enterprises have been greatly benefitted from the increasing productivity and efficiency generated by this free data transfer. However, with the increasing benefits, the ramifications of this exercise are not latent. The uninterrupted data flow can be misused by the witty individuals or companies for their own profits or for carrying out defamation of a particular country/ individual. This is why a lot of focus is being put on protecting the critically sensitive data both on individual and the all-nation level. In general, the countries worldwide to which India agrees too, have generated four concerns to this unmonitored data flow.[1] These are (1) data storage on foreign servers, which has hampered data access for domestic national security agencies, (2) loss of economic gains owing to data exploitation by foreign corporations, (3) worries about foreign monitoring, and (4) abuse of personal data in violation of privacy rights. [2]Data localisation measures has been a debated topic in Indian news which underlies its implementations needs and concerns pertaining to the impact. These measures are generally implemented in scenarios such as cybercrimes. Cyber resilience, to protect and access government sensitive data, to enable surveillance by national security or law enforcement agencies as in the case of Russia’s Data Localization Act 2015, etc. One of the most prominent arguments for need of data localization measures is majorly the potential economic competitiveness benefits: “Many governments believe that by forcing companies to localise data within national borders, they will increase investment at home.” Thus, data localization policies are often driven, whether expressly or implicitly, with an intention to enhance domestic economy. Protection of geospatial data, Limitation to cyberespionage, and other geo-political advantages through bilateral and multilateral agreements are other pros of adopting data localisation. As we know that the data privacy is directly proportionate to the use of data localisation measures, however many scholars have pointed out to the concerns related to such measures which leads to their reverse effects hampering its very motive i.e., data protection and privacy.[3] In this regard, concerns have been raised that data localisation will have a detrimental influence on data privacy “by increasing government access to user data, reducing the efficacy of corporate privacy and security controls, and expanding the corporate network.” This, in turn, alludes to data localization as a possible instrument for political repression: Strict data localisation laws can enable political oppression by putting information under state control and endangering individual rights such as privacy, data protection, antidiscrimination, and freedom of speech, as well as democratic ideals. It has also been noticed that data localisation rules may actually raise privacy threats by requiring data to be kept in single centralised places that are more susceptible to intrusion. To get rid of the concerns regarding data privacy and localisation measures, many scholars tend to put localisation measures equivalent to privacy regulations and diminish the need to form any specific data localisation measures.[4] Pertaining to the same, many governments have set limits on transborder data transfers in accordance with data privacy regulations and thus as mentioned above, it appears that many analysts incorporate those constraints in the notion of data localisation. However, there is a considerable distinction between something being prohibited and something being permitted only under certain conditions. In our situation, there is a major distinction between a need that data be held at a place or processed in a given jurisdiction, on the one hand, and constraints imposed on data transfer to another nation, on the other.[5] Data held in one place is said to be localised while its non-intrusion by any foreign party at any jurisdiction is the data privacy. Hence, it can be said that data localization does not always result from the constraints imposed by data privacy legislation on cross-border data transfers. India among other developing nations have begin working in the domain of data protection and localisation by forming several legislations and guidelines, however a lot needs to be done in the policymaking to enable the effective and sensitised data usage in the country which is discussed in the following section.
DATA LOCALISATION LAWS IN INDIA
The contemporary laws in India adhering to data localisation include laws and policies made for various specific sectors such as company sector, banking sector, IRDIA regulation etc. For instances, the (Indian) Companies Act 2013[6] and the Companies (Accounts) Rules 2014: Section 94 of the Companies Act[7], read in conjunction with Sections 88 and 92, requires covered organizations to keep financial records within the company’s registered office. The government’s “MeghRaj” initiative, which is designed to promote the use of cloud services by the government, also contains a requirement for the localisation of government data and the IRDAI (Maintenance of Insurance Records) Regulation, 2015: Paragraph 3(9) requires covered organizations to keep insurance data in India.[8]Above specifications in data localisation in various Indian sectors bring out the different models for the implementation of such uniform law all over India.
On July 27, 2018, the SriKrishna Committee also delivered its findings and a draft Personal Data Protection Bill, 2018[9], to the government, along with some major suggestions on private data localization. The Committee proposed a “three-pronged model,” which included storing at least one live, serving replica of all personal data in India. Furthermore, some kinds of ‘sensitive personal data,’ which the government will notify, would be subject to a tougher requirement of being stored and processed solely in India. Finally, the government would have the authority to exclude specific nations, industries, or international organisations from limits on cross-border data flow on the basis of ‘necessity’ or ‘state strategic interests.’. Above recommendations are crucial to the extent of preparing a worthy model of data localisation in India without compromising on its social political structure. The present experiences of the Indian government in forming the said laws including sector specific localisations such as encryption of data, delimitation of sensitive information within the jurisdiction of the sector. [10]
However, as we have seen that introduction of any good law might face impediments in its process of implementation and many a times there is no consensus ad idem between the intention makers and the actors of the said law. Whenever a vital subject which has an incidental chance of infringing the rights of people has to be built upon as a law in the country, it ought to be consulted with its first to avoid its minimum ramifications. For example, the passing of uniform civil code in India is pending as there are many groups voicing against it leading to many amendments in the draft bill to align it with the interests of the general public. In a similar way, data localisation measures may become a hurdle in Indian citizens’ freedom of speech and expression as it hampers the free flow of data.[11] On the other side of the coin, it also guards their right to privacy as it localises and protects their data’s access to unauthorized third party. This conflict between these two rights has to be taken into consideration while implementing this particular law to suit it to the best interests of the nation. RBI’s directive for data localisation requirements under payment and settlements act gives insights and lessons to build upon for the future policymaking of the country concerning this particular subject. Firstly, RBI’s lack of openness and transparency in delivering their directive was an illustration of how a policy fails to address the public’s views and opinions and thus eventually does not succeed in its implementation. It basically put up a direct notice of the directive without consulting the public at large or realising any preliminary draft for scrutiny. Secondly, they failed to explain the need and importance of the directive in the financial security domain which rendered their motivations to be dubious and prone to interrogation by many stakeholders. They mentioned just a line objective of ensuring supervisory and monitoring access to payment data. Due to this, many opinions came into light questioning the base of the directive itself. Thirdly, the urge to bring up the directive made the RBI blind towards already existing such specific directives which just might result into redundancy of laws and even conflict at a later stage. This implies for future policymaking that localisation measures should be brought after taking into account the surrounding technological and financial environment and merely mandating it does not fulfil its regulatory ends. Finally, as we know that strict localisation measures as adopted by RBI in this case should be an extreme case as it puts a halt to the free flow of information and thus the operation of the worldwide internet, thus alternatives should be considered before jumping onto such measures in a rigid manner which inclines towards public welfare coupled with the technological advancement and data protection. RBI in this case failed to achieve any of them and thus monopolised the law-making to bring a directive not really suited to the democratic interests.[12]
Concluding the chapter, it is noticed that data localisation is an urgent need of the country today, however it should be implemented in a judicious manner considering all the parameters and consequences thereof in order to serve it to the best interests of the democracy and the financial sector’s security respectively.
SUGGESTIONS
As we have discussed the immediate need to introduce a uniform legislation for data localisation and protection in the cyberspace, the author would suggest certain points as to how the content of the legislation should look like and its way of implementation that is suited to its real motivations. Primarily, the already pending personal data protection bill 2019 should be implemented and data localisation should be made a crucial part at all necessary levels and not just for government sensitive data. The localisation of sensitive personal data especially within the organisations in which they are introduced into should be the priority as sometimes the identity of the person associated with the data can be misused by the own government of that country. General perception of keeping data localised with the government is not really a wise step as the country politics could ruin the financial security and privacy of the individual whose personal data is localised within the country leaders. Moreover, the free existence of rapid algorithms identifying our personal data inputs into digital apps, websites, companies etc., while dealing with our general technological tasks allows the rapid flow of personal data into the cyberspace hampering its secrecy. Thus, it is advised that the apps, websites, private agencies or be it the government agencies are made accountable through a written agreement to not leak the data in any case otherwise legal consequences would be there. This leads to arise in the need for an all-India legislation to bind such agencies having the personal and sensitive data into a legal obligation to protect and localise the data within a defined and informed cyberspace. The existing bill should work as supervisory and supreme law to govern all the existing sector specific data protection laws and concile them in a manner to enhance the working of the financial and technological sectors coupled with the protection of citizens’ fundamental rights. Additionally, a significant caveat to the bill’s scope is the government’s authority to exclude, by executive order, any agency of the government from any requirements of the Bill for any type of processing upon a wide range of factors. This has the chance of getting misused by such agencies for political purposes and will act contrary to the bill’s motivations. Such exception should be made specific as recommended by SriKrishna committee rather than the existing straight exception included in the bill whose usage can directly affect the privacy of the people. Also, the provisions to seek redressal in case of data principal harm is a bit unusual and prone to corruption and misuse. It allows the suffered parties to complain to Adjudicating officers acting as middlemen between the sufferers and the legal system, and ask for compensation. These AOs then consider the relevant conditions and harms and then award compensations or appeals can be made to the established tribunals only after getting through this level of complaint to AOs. These, as we have seen in cases such as farm laws in India where the authoritative decisions made by such authorised middlemen or first complaint authority, lead to exploitation of the victims and corruption in the overall system. [13]The Data Protection Authority of India can indicate a wide range of “reasonable purposes” as a basis for processing personal data without consent (Article 14)[14]. This includes factors to consider, the requirement to include appropriate safeguards, and a list of possible examples of “reasonable purposes.” “However, there is no real limit to the interferences that the DPAI can cover. In the SriKrishna Bill[15], the statute on non-sensitive material limited the powers of the DPAI on certain justifiable grounds, but this limit was cancelled in the present bill which gives authoritative and monopoly to DPAI which is a government agency to regulate the affairs which can lead to the infringement of privacy of individual and unauthorised use and moulding of their non sensitive data in a manner that might affect their financial security. The Bill has, at least on the surface, many of the rights and requirements contained in top international data privacy laws, including the GDPR. In this regard, it is comparable to the Srikrishna Bill, however, some concepts are weakened. The penalties for violations of the legislation, as well as the compensation provisions, appear to be harsh, even by worldwide standards. The DPAI is controlled by government nominations and lacks independent safeguards. Data principals (and the non-governmental organizations that represent them) possess the autonomy needed to begin its enforcement. Thus, it is a progressive Bill to some extent. However, considering its complex provisions related to data localisation and over specificity in the measures provided, this Bill falls far short of international norms, in terms of whether it would be strictly and successfully implemented.
CONCLUSION The paper basically went through various sections explaining about the Data Localization as a general concept needed to safeguard the right to privacy of the individuals as well as protection of sensitive data from being misused against a person’s identity. As discussed above, it is an immediate need of the today’s era especially when it comes to developing nations like India. The excessive and unignoring use of internet databases has led to the concern about data privacy and individual safety. With this regard, recently a guideline is also issued with reference to the eateries and restaurants not being allowed to record personal details of the customers. Similarly, different sectors have such different guidelines and law to encrypt the data of their users, however it is pretty vague and distributed differently across different sectors which many a times create confusion among the stakeholders concerning its implementation. Therefore, the paper emphasises the need for a uniform data protection and localisation laws in India both at government and individual levels. Persisting laws in various sectors are further came into conclusion that could inspire or act as a learning for the state while forming upcoming laws and policies of data protection. As an active spirited citizen, the author understood and analysed the current need in detail coupled with the suggestions that should be kept in mind while forming future policies.
[1] Data Protection in India: Overview – Khaitan & Co Khaitan and co, https://www.khaitanco.com/sites/default/files/2021-04/Data%20Protection%20in%20India%20Overview.pdf (last visited May 25, 2023).
[2] Data localisation norms: A key pillar for privacy protection.
[3]Data Localisation-India’s Double-Edged Sword.?
[4] kelly henson, Introduction to data privacy, Data Privacy, 21–48 (2016).
[5] Raj Shekhar & Aman Yuvraj Choudhary, Data Localisation and Cross-Border Flow of Data: Balancing the Incongruent Dimension of Barriers, Safeguards and “Free Flow of Data”, 2022 RGNUL FIN. & MERCANTILE L. REV. 19 (2022).
[6] The companies act,2013, No.18, Acts of Parliament,2013(India).
[7] The companies act, 2013, § 94, No. 18, Acts of Parliament,2013(India).
[8] Data protection in the Indian Insurance Sector – Regulatory Framework Part I – insurance laws and Products – India, https://www.mondaq.com/india/insurance-laws-and-products/809122/data-protection-in-the-indian-insurance-sector–regulatory-framework-part-i (last visited May 25, 2023)
[9] The Personal Data Protection bill, 2019 PRS Legislative Research, https://prsindia.org/billtrack/the-personal-data-protection-bill-2019 (last visited May 25, 2023).
[10] The Draft Digital Personal Data Protection bill 2022: Recommendations to the Ministry of Electronics and Information Technology ORF, https://www.orfonline.org/research/the-draft-digital-personal-data-protection-bill-2022/ (last visited May 25, 2023).
[11] A look at proposed changes to India’s (personal) data protection bill, https://iapp.org/news/a/a-look-at-proposed-changes-to-indias-personal-data-protection-bill/ (last visited May 25, 2023).
[12] RBI mandates data localisation for payment services: Is this the only solution to protect data and privacy? Bar and Bench – Indian Legal news, https://www.barandbench.com/columns/rbi-mandates-data-localisation-for-payment-services (last visited May 25, 2023).
[13] Data Protection: A necessary part of India’s fundamental inalienable right of privacy – submission on the white paper of the Committee of Experts on a Data Protection Framework for India SSRN, https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3102810 (last visited May 25, 2023).
[14] India Consti, art. 14.
[15] Committee reports PRS Legislative Research, https://prsindia.org/policy/report-summaries/free-and-fair-digital-economy (last visited May 25, 2023).
Author: Suhani Sharma
Juris Centre 