The Indian Data Localisation Proposal – more misses than hits?

India has a patchwork for a data privacy regime. There is currently no comprehensive national framework governing privacy issues, despite the Indian Supreme Court asking the government to legislate in 2018. Based on recommendations of a committee, a data protection bill was proposed in July 2018. A revised version of this bill, the Personal Data Protection Bill, was tabled in December 2019 and still awaits the legislative seal of approval. 

This Bill has been criticised by diverse stakeholder groups for giving wide surveillance powers to the government, lacking clarity on important details and processes, and its requirement for data localisation. The Bill requires that ‘critical personal data’ (not defined in the Bill) should be processed only in India, with certain exceptions (viz. a medical emergency or a government approved transfer). Furthermore, the Bill establishes a separate category of ‘sensitive personal data’ that has to be stored in India and may only be transferred outside India with the prior consent of the data principal for limited purposes (such as a data transfer in relation to an intra-group scheme or a contract, or a government or data protection authority approved data transfer).

Simply put, data localisation means that all or certain data held by companies has to be stored and/or processed within the country of origin. Several countries including China, Russia, Indonesia, Vietnam, and Nigeria have data localisation laws (of varying scope and stringence) in place. BCG notes that the prevalence of such measures has quadrupled since the year 2000, with many falling in the ‘very restrictive’ category. 

Let’s put a closer lens to the Bill and see why a data localisation mandate in the Indian context may be problematic, and possibly counterproductive. 

1. Data localisation does not translate to data safety

Simply having data of citizens sitting on servers within one’s borders does not translate into stronger data protection. Rather, the protection of personal information requires sound physical infrastructure, strong encryption, coherent laws, good protocols and skilled personnel. If the policy objective is to safeguard data privacy, then data localisation, by itself, may not be a very effective measure. 

2. India’s weak data security record

Indian companies as well as the government have a poor record of protecting data. A study suggests that around 75% of the surveyed users in India have reported being breached at some point while another report suggests that there were around 390,000 cyber security incidents in 2019 alone. Even government websites are not safe and have been targets for data breaches. In light of such acute vulnerability of Indian websites and data security systems, a data localisation mandate is unlikely to meet the policy goal of data safety.

3. Concerns of state surveillance

Recently, there have been concerns of state surveillance in India. Illustratively, last year the Pegasus-Whatsapp controversy emerged where Whatsapp claimed that it had informed the Indian government about snooping on Indian journalists and political activists by an Israeli surveillance firm that mostly works with government agencies. And in 2018, ten government agencies were authorised to conduct surveillance in a move that is now challenged before the courts. 

The Personal Data Protection Bill gives blanket powers to the government to exempt any government agency from the provisions of the Bill, and allows the government to circumvent the data protection measures in the name of public order, friendly relations with other states, national security, etc. Even the former judge, on whose recommendations the Bill is based, has criticised the Bill for granting sweeping and unfettered power to the state. Without any oversight of the data protection authority or checks and balance mechanism, the government will have a free hand over the data of its citizens, which is a concerning scenario.

4. Massive costs and impediments to free data flow

Data localisation is a costly affair. According to a 2018 study, imposing data localisation measures could shrink the Indian GDP by 0.8% and domestic investments by 1.4%. The added costs of complying with data localisation provisions may make India a less lucrative destination for firms, both Indian and foreign. Small Indian firms, especially the tech related startups, are likely to get the raw end of the deal as many of them rely on cloud computing and their costs may increase by up to 60% if they have to comply with data localisation requirements. 

Further, a data localisation mandate could throttle the growth and openness of the Internet, which in turn is likely to damage the economy.

5. Data localisation may run afoul of World Trade Organization rules

Data localisation measures are a form of digital trade barriers and hinder cross border movement of services and the free flow of data. Under the WTO’s General Agreement on Trade in Services (GATS), the member states have committed to provide a level playing field to service providers, regardless of their nationality. India is a party to the GATS and the data localisation provisions may potentially be challenged before the WTO as being against India’s commitment to free flow of services under GATS.

What is the way forward? 

India will benefit from a coherent well-laid-out data privacy regime that clearly spells out the rights and obligations of the stakeholders. However, for any data localisation measures to serve as an effective tool in protecting data privacy, India should first work on articulating clear policy goals, establishing consistent data protection practices, placing limits on state surveillance, observing transparency and establishing the physical infrastructure needed for digital safety while keeping an eye on the cost of implementation to the businesses, especially those that have smaller wallets.