#DataProtectionTop10: Data Localisation
A Threat to the Free and Open Internet
In part 6 of the #DataProtectionTop10 series, we look at the issues with the restrictions on the transfer of personal data outside India that have been imposed under the Bill. India’s data localisation policy confers excessive discretion to the government, and adversely affects the privacy of individuals. We recommend that the Bill explicitly define critical personal data and should not impose undue restrictions that affect the open nature of the internet.
Last time in part 5, we discussed how voluntary verification of social media accounts affects the rights to privacy of users and leads to self-censorship. In today’s post, we examine one of the most debated issues with the Bill; India’s data localisation policy.
The architecture of the internet is such that it is borderless. It allows the free flow of ideas across borders. In this globalised world, where trade is largely digitised, free flow of data has also become important for the free flow of services. Data localisation policies run contrary to the free and open nature of the internet as it curbs the free flow of data by requiring the storage and processing of personal data within national boundaries. It appears that the main policy considerations behind the data localisation policy are to ensure effective enforcement, prevent foreign surveillance, avoid vulnerabilities in our fibre optic cable network system, and promote growth in the Indian digital economy.
Data localisation is not an entirely new concept in India. India has implemented sectoral data localisation policies before. For example, in 2018, the RBI issued a Circular on the Storage of Payment System Data which mandates the storage of entire data related to payment systems in systems located only in India. The Personal Data Protection Bill, 2019 introduces a comprehensive policy for data localisation. India’s data localisation policy is mired in a host of issues and this post intends to discuss them.
The Issue: Lack of clarity on critical personal data
The restrictions on the transfer of personal data outside India is found in Chapter VII of the Bill. The restrictions are on the transfer of two categories of personal data: sensitive personal data and critical personal data. Clause 33 states that sensitive personal data can be transferred outside India after obtaining the explicit consent of the data principals, but a copy of such sensitive personal data shall continue to be stored in India. This requirement is not exactly data localisation. This is mirroring of data, as processing of sensitive personal data outside India is permitted, the only restriction is that a copy of it has to be stored in India.
On the other hand, the Bill envisages strict data localisation for critical personal data. This means that the data classified as critical personal data can be stored and processed only in India. The transfer of critical personal data may be permitted in two situations where: the transfer is necessary for prompt actions, or the transfer, in the opinion of the Central Government, does not prejudicially affect the security and strategic interest of the State (Clause 34).
The issue here is that ‘critical personal data’ is not defined under the Bill, and it is the Central Government who will decide what will fall under this category. The Report of the Committee of Experts under the Chairmanship of Justice B.N. Srikrishna (‘A Free and Fair Digital Economy Protecting Privacy, Empowering Indians’) gives us some indication of what could potentially fall under the category of critical data. The report states that critical data will include all kinds of data necessary to keep the wheels of the economy and the nation-state turning. The report further states that it is a wider category and may include health, government services, infrastructure data and system control software which includes inter alia transport, waterways and all controlled and sensor mapped infrastructure. It is evident from these examples that critical personal data may even go beyond the scope of personal data. Given the ambiguity in the concept of critical personal data, leaving the Central Government with the power to determine what data will constitute critical personal data will certainly lead to abuse of power by the State through excessive and overbroad intrusions into privacy in the name of national security.
The Concern: Stifling innovation and threat to privacy
Data localisation can stifle innovation and the free flow of data across borders. For companies from outside India, data localisation policy would mean that if they are collecting sensitive personal data of Indians, they have to have a data server located in India to store this data, or if the data they collect includes critical personal data then they will have to store and process it solely in India. Not every data fiduciary has the resources like Google and Facebook to set up servers in India. This added compliance cost would disincentivize foreign companies from bringing their services and products to India. For Indian companies, this policy would mean that their ability to avail the services of foreign cloud service providers would be restricted. Start-ups and other entities who depend on foreign cloud service providers would be required to either set up their own servers or avail the services of domestic cloud service providers. Innovation will be stifled as these businesses would be deprived of global technological developments.
One of the main reasons given for data localisation is the prevention of foreign surveillance. Ironically, storing data within the State raises concerns of domestic surveillance, especially since clause 35 allows the Central government to exempt any governmental agency from the provisions of the Act. Law enforcement agencies always find it difficult to access data stored in servers that are located in other countries. With this new policy for storage of data, law enforcement agencies in the country will easily obtain greater access to data. Therefore, data localisation policy is considered very important for the effective enforcement of domestic laws. However, in the absence of strong surveillance reforms in the country, storing sensitive and critical personal data in India only raises concerns of unbridled intrusion into privacy by the State.
From the perspective of data security also, data localisation is not very convincing. In fact, data localisation only creates greater risks to the security of data. Storing all critical personal data and sensitive personal data in few data centres within the country, as opposed to scattering them across the world, would only increase the risk of cyber attacks. Just like putting all our eggs in one basket!
Solution: Define critical personal data to preserve the open nature of the internet
The policy for local storage of the data under the Bill is vulnerable to abuse by the State due to the ambiguity in the concept of critical personal data and the excessive discretion given to the government in determining what constitutes critical personal data. Therefore critical personal data must be defined in the Bill itself and should not be left to be defined by the executive without any guiding principles. It is also important that data which pertains to the critical information infrastructure of the State and that does not fall under personal data be kept out of the purview of critical personal data.
The seventh principle of the Indian Privacy Code which is concerned with the protection of the open internet states that care and caution should be taken to preserve the global character of the open internet. Open internet is beneficial to Indians as they can access information, knowledge and services from all over the world. Hence, in a strong data protection law, rules such as blanket data localisation proposals, which would threaten and undermine the global open internet should not be included.
To preserve the open nature of the internet, it is imperative that the Personal Data Protection Bill, 2019 does not mandate the storing and processing of personal data only in India. The safety of personal data does not depend on the physical location where it is stored. The protection of personal data transferred outside the boundaries of India must be achieved through a data protection framework that provides for adequate safeguards to ensure that data protection rights apply to the data of Indians no matter where it is stored and processed. For instance, Japan amended their data protection law, The Act on the Protection of Personal Information, 2003, last year to strengthen the protection of personal data in international transfers. The Amendment will come into force in 2022 and has broadened the disclosure obligations of the data fiduciaries. It requires them to provide the users, prior to obtaining their consent, information on the data protection system of the foreign country and the actions taken by the third party for the protection of the data. The obligations of data fiduciaries have also been tightened for transfers of personal data pursuant to standard contractual clauses.
Our data protection law should also consider incorporating such protections instead of a data localisation requirement. India should abandon the data sovereignty approach and should adopt approaches that ensure the free flow of data and protection of the rights of users.
This is the sixth post in our series on the issues with the Personal Data Protection Bill, 2019. Read part 1 here, part 2 here, part 3 here, part 4 here, and part 5 here.
- The Personal Data Protection Bill, 2019 as introduced by the Minister for Electronics and Information Technology, Mr. Ravi Shankar Prasad (link)
- Essential Features of a Rights Respecting Data Protection Law dated February 28, 2020 (link)
- IFF's Public Brief and Analysis of the Personal Data Protection Bill, 2019 (link)
- The SaveOurPrivacy Campaign (link)
This post has been largely drafted by Fathima V N, who is a 2020 graduate of the National University of Advanced Legal Studies and is currently a Daksha Fellow interning at IFF with the supervision of our staff.