Why global companies oppose data localisation

Written By Mansi Taneja | Updated: Jul 31, 2018, 06:00 AM IST

Most argue that start-ups and companies dealing with personal data will have to make additional investments

India has taken the first step towards creating a framework for data protection and privacy of users data. The first draft of the bill for data protection came out last week outlining measures to safeguard data and redressal mechanism in case of data breach, but experts have called for more consultations on the issue besides picking up grey areas in the framework.

The first and foremost -- data localisation where the draft bill has suggested that personal critical user data will have to be processed and stored in India on a server or a data center located in India. The personal data may be transferred outside India, but at least one copy of the data needs to be stored in India.

This provision is bound to create ripples across the global firms operating in India. Many startups and companies dealing with personal data will have to make an additional investment to comply with these norms.

Shweta Mohandas from the Centre for Internet and Society told DNA Money that most startups that have been using cloud services till now will have to spend more money in order to ensure that they comply with the provisions of the bill.

Mahesh Uppal, a telecom analyst, echoed similar views. "It will be an additional investment for startups and companies dealing in personal data and am sure they are not quite amused about it. Cost reduction is a major issue for them as well as business flexibility where they decide what suits them best in terms of location of data."

"All these things -- in the end are commercial decisions. Some companies may choose to lessen their exposure and some might spend willingly to take extra cost, depending upon the benefits," Uppal said.

Besides, there is no clarity on how critical personal data will be defined.

"Personal data that is considered as "critical personal data" shall only be processed in a server or data center located in India. This provision can be problematic as there is no definition of what "critical personal data" would include. This provision may make startups wary of working on products and services in sectors such as healthcare and fintech, where the data is already considered sensitive and has a potential to be considered as "critical personal data", Mohandas adds.

Even the association for IT industry Nasscom along with Data Security Council of India expressed concerns over this provision of data localisation. "Mandating localisation of all personal data as proposed in the bill is likely to become a trade barrier in the key markets. Startups from India that are going global may not be able to leverage global cloud platforms and will face similar barriers as they expand in new markets."

Mozilla, the maker of Firefox browsers, in a blog says,"Notwithstanding the protections on processing in the interest of the security of the state, it's hard to see that this provision (data localisation) is anything but a proxy for enabling surveillance."

An expert panel headed by Justice B N Srikrishna, on Friday, submitted its report on data protection as well as the draft 'The Personal Data Protection Bill, 2018' after a year-long consultation process. Other recommendations include setting up of a data authority, option of withdrawal of consent, penalties proposition and criminal proceedings for violations. It also suggested steps for protection of personal information and defined obligations of data processors and rights of individuals.

The report has come at a time when there are alleged reports of data leakage and misuse with respect to Aadhaar and breaches of data of Facebook users by data analytics firm Cambridge Analytica. In May this year, the European Union General Data Protection Regulation (GDPR) also came into force under which all the firms had to adhere to the new regulations.

In the committee's report, there are suggestions on consent which comprises personal data including sensitive personal data, exemptions which can be granted, grounds for processing data, storage restrictions for personal data, individual rights and right to be forgotten. It also has suggestions on rights of children, data protection authority and the right to recall data.

Many experts have criticised the committee's report for not treating Aadhaar as an integral part of the whole data protection issues. Though the Supreme Court is looking into the entire Aadhaar case, there could have been wider details on it and data issues, although the committee has proposed some modifications in the Aadhaar Act, according to an expert.

When asked about Aadhaar issue, Uppal says the committee should have delved deeper into it. "By treating these things in parts, it reduces the value of this report as nobody can argue that Aadhaar is not a key part of the privacy issue."

Dissent within members on data localisation

The report even had some dissent notes on data localisation. A member of the expert panel, Rama Vedashree, the CEO of Data Security Council of India set up by Nasscom, has termed the data localisation requirement as "not only regressive but against the fundamental tenets of our liberal economy."

Her dissent note is part of the report.

Another committee member Prof. Rishikesha T Krishnan, director, IIM, Indore, in his dissent note has said, "The requirement that every data fiduciary should store one live, serving copy of personal data in India is against the basic philosophy of the Internet and imposes additional costs on data fiduciaries without a proportional benefit in advancing the cause of data protection."

Mozilla, in a blog in June, said a data localisation mandate may also harm the Indian economy. "India is home to many inspiring companies that are seeking to move beyond India's generous borders. Requiring these companies to store data locally may thwart this expansion, and may introduce a tax on Indian industry by requiring them to maintain the legal and technical regimes of multiple jurisdictions."

Such a mandate would force companies to use potentially cost-inefficient data storage and deny companies from using the most effective and efficient routing possible, the company said.

The draft bill will go for inter-ministerial consultations before it is sent for a Cabinet approval and a final approval of the parliament before it becomes a law.

Overall, Uppal says the draft has tried to balance the interests of the data principal (individuals) and data fiduciaries (people who deal with it) and the government. But, he expects that the bill won't go to the parliament in the same form as far more extensive discussions are required as the matter is complex.