India’s proposed data protection regulation demands data localisation and restricts cross-border transfers, promising economic benefits for the broader economy, but imposing big cost and logistical challenges on Indian and international companies, write K Satish Kumar and Ritika Roy
Countries around the world are strengthening their data protection regimes given the rise in data breaches and the growing need to regulate how businesses use and process sensitive data. While much of the legislation is modelled around the EU’s General Data Protection Regulation, implemented in May 2018, countries have tried to tailor the rules to meet their domestic needs and economic and political goals.
The Indian government introduced its Personal Data Protection Bill, 2019, in the lower house on 11 December 2019. The bill was referred for assessment and approval to a joint parliamentary committee on the Personal Data Protection Bill the next day.
After two years of review, the committee tabled its report before both houses of parliament on 16 December 2021. The report also considered the Supreme Court judgment in the Justice KS Puttaswamy (retd) v Union of India case, and the recommendations of the Justice BN Srikrishna Committee.
The committee’s report addresses two sets of recommendations: (1) specific changes that should be reflected in the bill; and (2) general recommendations the government should consider.
Some key recommendations of the committee include regulating non-personal data in the bill, changing the threshold for reporting data breaches, regulating social media companies and intermediaries, the role of data protection officers (DPOs), and the fiduciary duties of hardware manufacturers.
However, the most notable and contentious suggestions are about data localisation. For example, social media company Meta Platforms had, in February, expressed concerns about India’s data localisation plans in a filing to the US Securities and Exchange Commission. It said India’s data privacy bill “requiring local storage and processing of data … could increase cost and complexity of delivering our services”.
IMPORTANCE OF DATA LOCALISATION
The committee’s report recognises that data is at the core of the future of any economy and is an important asset. Data localisation rules restrict the cross-border movement of data and deal with two critical aspects – location of storage and sharing.
There are two types of localisation – hard and soft.
Hard localisation means data are required to be stored within the country and cannot be transferred outside, while soft localisation allows for data mirroring, in other words, exact copies of data are made available in the country.
The committee has chosen a stricter approach to data localisation by recommending all data involving Indian citizens be kept within the country’s territorial limits.
This point was the most contentious recommendation and has seen the widest debate. However, the committee specifically recommended the government prepare an extensive policy on data localisation, covering aspects like the development of adequate infrastructure for safe storage of Indians’ data. The committee believes that change will generate employment, help introduce alternative payment systems, support local businesses and startups, promote investment, innovation and fair economic practices, enable proper taxation of data flow, and create a local artificial intelligence ecosystem to attract investment and generate capital gains.
IS LOCALISATION A TRADE BARRIER?
The US government has said India’s proposed data localisation requirements, under which firms need to store data within India, “will serve as significant barriers to digital trade” between the two countries.
The National Trade Estimate Report on Foreign Trade Barriers says such requirements will act as “market access barriers, especially for smaller firms”. If implemented, the rules will “raise the costs for service suppliers that store and process personal information outside India” by forcing them to construct infrastructure locally, which will not be cost effective.
A major advantage of data localisation is quick access to data. Secondly, not all countries have adequate legal orders for data protection. Nations with data stored in different countries may impose data localisation to prevent data being transferred to countries where data protection laws are inadequate. Thirdly, physical infrastructure is required to store data. Therefore, data localisation will accrue economic benefits for local industry through employment to create infrastructure. Other benefits are attracting investment, fuelling innovation, and creating a competitive advantage for domestic companies.
However, there are a few disadvantages. Requiring data localisation increases operational and compliance costs for companies because they have to duplicate infrastructure in all countries where data localisation laws have been implemented. Consequently foreign companies bear significant cost increases to comply with different and stringent standards of privacy or security. Even a startup that signs up on a third-party service, for example, Google Workspace, will inevitably use foreign servers, as most of those service providers locate their servers outside India. A large number of Indian startups depend on cross-border data transfers, for instance, to use cloud service providers located outside India. Provisions impeding the free flow of data will create difficulties for startups that cannot access cost-effective and best-in-class technologies and infrastructure.
Consequently those businesses may be forced to incur higher costs in India and ultimately become uncompetitive. Such strict regulations may also prompt Indian founders to register their companies abroad to avoid that level of compliance.
The 2019 bill already imposed several restrictions on cross-border data transfers. The committee’s report has proposed additional bureaucratic hurdles on data transfers, like requiring central government approval for transfers under contracts or intra-group schemes.
UNCLEAR CROSS-BORDER ARRANGEMENTS
The free flow of data acts as an equilibrium, allowing startups to compete globally on price and quality, regardless of their size. Disproportionate restrictions on data transfers could impede startups’ access to cheaper services and cutting-edge technology offered by global cloud platforms and international markets.
A separate category of personal data considered “critical” would be entirely prohibited from transfer outside India. The Data Protection Authority would define “critical data” without even an indicative hint of its scope in the bill.
The bill also requires large players to have DPOs physically located in India. The officers are required to be key managerial personnel, but the outside world may see those measures as less about protection and more about protectionism.
The committee has recommended the government subsidise the development of infrastructure for startups in particular and use revenue generated from data localisation to help small businesses and startups comply with data localisation requirements.
While the committee’s effort to ensure the growth of startups is visible in the pro-startup recommendations, some points cannot be ignored. The report, having been tabled in the parliament, awaits the scrutiny of both houses and will probably see larger debate inside and outside the parliament.
Developments on the bill will be interesting, especially because many dissent notes were filed about the committee’s recommendations by committee members. Continual pressure from businesses and a growing data protection regime internationally will add further dimensions to the discussions.
It remains to be seen whether the Data Protection Bill alleviates concerns of industry and investors that view India as a lucrative investment destination. Increased compliance and establishment costs for SMEs and startups are another major concern that, if not tackled effectively, might force existing players to exit, and be an entry barrier for new enterprises and startups.
When the world is moving towards adopting a strong data privacy regime, India should not lag in fulfilling the data adequacy requirements and should endeavour to have a strong domestic digital privacy regime. That will determine whether other countries recognise India as a country with an adequate level of protection.
THE COMMITTEE’S OTHER SUGGESTIONS
Reporting data breaches: The committee has recommended removing the “significant harm” threshold and instituted a 72-hour deadline for notifying data principals of a breach.
Social media and intermediaries: The committee has refurbished the way social media platforms and intermediaries are regulated. It recommended all social media platforms that do not act as intermediaries be treated as publishers and held accountable for the content they host. A mechanism may be devised whereby social media platforms that do not act as intermediaries will be held responsible for content from unverified accounts on their platforms.
Data protection officers (DPOs): The committee recommended that DPOs be key managerial personnel (KMP) in companies. KMPs are defined as CEOs, MDs, managers, full-time directors, CFOs, company secretaries, or other personnel prescribed by law. Having a KMP as the DPO may lead to higher accountability and increased efficiency due to direct oversight by a company’s top management.
Hardware manufacturers as data fiduciaries: The Ministry of Electronics and Information Technology (MEITY) warrants that all IT hardware device manufacturers conduct a “device evaluation”. The committee has recommended an additional set of regulations be formulated by the Data Protection Authority (DPA), along with certification standards formulated by the government. With three different agencies (the MIETY, DPA and certifying authorities) regulating data protection, attaining harmony between the regulations would be paramount for the sector’s continued growth.
K SATISH KUMAR is a keynote speaker, author and group chief legal officer of Intellect Design Arena. He is actively involved in many pro bono activities through Chennai Lawyers. He can be reached at firstname.lastname@example.org. RITIKA ROY is vice president of legal at Intellect Design Arena. The views expressed are personal.