The requirement of retaining one “serving copy” of all personal data collected within India is shrouded in mystery.
The government constituted a committee of experts under the headship of Justice B.N. Srikrishna which has issued a report (Srikrishna Report) <1> and the draft Personal Data Protection Bill, 2018 (the Draft Bill). <2> This follows the Supreme Court’s emphatic declaration of a fundamental right to privacy and the importance of a data protection framework in India. <3>
One of the notable proposals in the Srikrishna Report is the requirement that companies have to store certain categories of user data on Indian territory. The Draft Bill envisions that the Data Protection Authority (DPA) that will specify categories of data that will be required to be hosted locally. In addition to this broad restriction, it is proposed that a serving copy of all personal data will need to be made available in India. And the Data Protection Authority’s approval will be required for all cross-border transfers of data pursuant to any contractual or inter-group arrangements.
The citizenship of the data principal i.e. to whom the data relates is the basis for jurisdiction in the Draft Bill akin to the European Union’s General Data Protection Regulation (GDPR). This principle seeks to overcome the limitations of territorial jurisdiction given the ubiquity of the internet and data. The localisation requirement which is absent in the GDPR is contradictory to this approach to jurisdiction. The localisation requirement pre-supposes that territorial jurisdiction over data is a sine qua non for enforcement. This inherent contradiction dilutes the uniquely Indian fiduciary jurisprudential approach to privacy mooted by the Srikrishna Report.
The Reserve Bank of India (RBI) in April this year required that all payment data be stored only in India by payment gateways. The RBI notification is remarkable in its candour, admitting that the objective behind the move is “to ensure better monitoring, it is important to have unfettered supervisory access to data.” <4> This provides a sense of the government’s approach to data once it is localised.
The Srikrishna Committee avowedly stayed away from surveillance reform. This, however, cannot be reconciled with its localisation proposals. <5> Admittedly, in certain circumstances, it is in the public interest for the state to have access to data. The Cloud Act <6> in the United States provides an alternative to the unsatisfactory status quo of the Mutual Legal Assistance Treaty framework. There appears to be no consideration of using that mechanism to address the issues of legitimate government access to data by the Srikrishna Committee. This could realign India’s security needs with the cause of an open and fair digital economy. The Draft Bill instead seeks to by the slight of a heavy regulatory hand impose these restrictions which is government usurpation of sound commercial decision making.
The internet permits the market to benefit from efficiencies and multiply value creation. It connects the user base to the most efficient site for storing data. This is the economic rationale for a substantial portion of the world’s data being stored in seven countries. This is not to say that India must not focus on domestic capacity building. That objective however will only be achieved by the availability of infrastructure and a conducive policy framework.
The global standard of regulation has been crystallised by the European Union in the GDPR. The GDPR regulates cross-border data flows in two ways. The adoption of standard contractual clauses. Secondly, declaring certain jurisdiction has having adequate legal safeguards where data may be freely transferred. It does not adopt an inflexible rule that certain categories of data are required to be stored in Europe alone. The Srikrishna Committee is cognisant of this prudent approach given the inclusion of a similar requirements in the Draft Bill. The Draft Bill however adds another layer of red-tape by requiring that any transfer arrangement has to be approved by the DPA. This binds down businesses where data flows and synergies constantly change, with bureaucratic delays.
The requirement of retaining one “serving copy” of all personal data collected within India is shrouded in mystery. The Report uses the word “live” to describe this copy of data. <7> The Draft Bill however has curiously left that element out. Compliance with such a provision requires specific details if the regime is to be meaningful at all. Irrespective of the merits of this proposal, the scope of such obligations need to be in clear and technical terms.
The localisation proposals severely compromise the ability of the digital economy from benefiting on its efficiencies. It further creates a barrier to market entry that will potentially isolate India from new innovations in the internet space. One must be wary of regulation replacing commercial decision making in a market economy. This even more crucial for the technology and internet sector where change is the equilibrium.
<3> K.S. Puttaswamy v. Union of India (2017) 10 SCC 1.
<5> Clauses 40 and 41, Draft Bill.
<6> Section 105, Clarifying Lawful Overseas Use of Data Act, 2018 (United States).
<7> Page 96, Srikrishna Report.
The views expressed above belong to the author(s). ORF research and analyses now available on Telegram! Click here to access our curated content — blogs, longforms and interviews.
Sidhant Kumar is an advocate based in New Delhi. Heworks oncommercial and regulatory litigation. Sidhant is the co-author of Privacy Law: Principles Injunctions and Compensation ...Read More +