Data Localisation in India

Data Localization in India
Data Localization in India

“Data is the new oil”- this statement rightfully portrays the significance of data in almost all sectors in the present globalization era. With the increasing importance of data in every sphere, the regulation of data collection, processing and storage has become a topic of major discussion worldwide.

 In April 2018, RBI put out a circular with respect to data regulation. As per the RBI circular ‘all data related to payment systems were to be stored in a system only in India’

The circular mentioned the following points-

  1. In case of domestic transactions, data shall be stored in India.
  2. Overseas processing of domestic transactions was allowed if necessary with prior RBI approval but with the condition that post processing, the data would be stored in India only.
  3. In case of cross-border payment involving foreign and domestic components a copy of domestic component can be stored abroad based on requirements.

Later in July 2018 the Committee headed by Justice Srikrishna submitted its report on data protection along with a draft Data Protection Bill 2018.

Certain aspects of the report have been discussed below:-

  1. Report recommended storage of personal data of Indian citizens to be done on servers present within India. Even in cases where process is needed to be done overseas the data has to be brought back post processing and stored in India.
  2. The report states a subset of this personal data containing more intricate information like password date of birth etc, as sensitive/ critical personal data. The collection processing and storage of these sensitive personal data has to be done within India.
  3. The government shall have unfettered access to personal data provided that it is significant for functioning for parliament or state legislature.
  4. The report recommended setting of a Data Protection Authority (DPA) whose duty will be to function as a regulatory body for data network by monitoring safeguarding and preventing misuse of data.
  5. The committee recommends that collection processing and storage of data shall be done only for “clear, specific, lawful” purposes.

From the above mentioned guidelines, it is evident that the basic premise of discussion is “Data localization “. Data localization refers to storage of data on servers or any similar devices that has to be present within the geographical boundary of a specific country from where data originated. The recent Indian approach of data localisation is primarily is to serve two purposes -data security and easier faster accessibility. Data localisation is basically aimed at ensuring better access it would help in law enforcement. Due to complicated data access rules and regulations and unavailability of data locally, in recent times some unfortunate incidents have been reported. For example- Number of lynching cases have occurred in India due to rumors spread in Whatsapp and due to the complicated regulations in data access, the legal procedure gets delayed considerably. Further the Facebook- Cambridge Analytica controversy exposed the vulnerability of user data to foreign entities. The data localisation approach is also aimed to protect a country’s sovereignty by protecting its data from foreign surveillance came to limelight recently due to Edward Snowden leak where Edward Snowden, an American whistleblower leaked classified NSA data in public domain. Data localisation is seen as a measure to prevent such mishaps. Also data localisation has certain added benefits like it will require infrastructural development for data storage. It would also help in developing skills in the data storage and analytics and this will lead to creation of domestic job opportunities .

Despite its positive contributions, data localization and the draft Data Protection Bill, 2018 has major drawbacks. Some of them are discussed below-

  1. The basic loophole of India’s data localization approach is that storing data locally does not necessarily mean easier access to the data. For example- suppose some foreign company like Amazon, Facebook, etc. setup a data storage and analysis centre in India, then only this Centre establishment is not going to give the Indian government exclusive right over the data stored and Indian government will have to access data as per guidelines followed by the company as per its country of origin.
  2. Storage of entire country’s user data will basically create a honey pot of data exposed to domestic threats like cyber attacks.
  3. India lacks of proper privacy protection laws with the only mandatory rule on data localization being the RBI circular for payment systems. This ultimately means that even if local data centers are created in India, the primary purpose of data security will be in threat unless proper, efficient laws are put in place.
  4. Even minute dysfunction like electricity fluctuation, water drips, etc in the data centers can jeopardize the data stored and cause havoc. Further the data centre would demand humongous amounts of resources like electricity and water in order to function efficiently and this might be a difficult goal for India to achieve, as it has both electricity and water deficiency.
  5. The mandate for setting up of multiple local data centres will considerably increase the cost for industries and organistions. This increase in costs will adversely affect all global organisations but its effect would be more severe for medium and small scale organisations.
  6. In case of transnational terrorism, cyber crimes and money laundering involving non-Indian individuals and accounts , India will have to rely upon existing bilateral , Mutual Legal Assistance Treaty {MLAT}.
  7. India’s present free flow of data approach has benefited and positively contributed to its economy. Adopting data localisation will negatively impact economy. As per the European Centre for International Political Economy ‘Hard data localization laws drains around one percent of GDP from economy’. This GDP drain does not provide an equivalent amount of benefits.
  8. Further data localisation laws will invite retaliatory measures in form of trade barriers etc from foreign governments which will further detoriate the Indian economy.
  9. The Data Protection Bill does not put adequate checks on access of data by government and this may lead to misuse of data thereby defeating the sole purpose of data localisation.

Today, the world is witnessing the fourth stage of Industrial revolution in the form of globalisation. The core essence of globalization depends on free flow of data across border as isolated data would not prove to be effective. India’s concern regarding data security is genuine, but imposing hard data localisation will not address the issue. India must address the issue. India must aim for bringing about modifications in the existing bilateral MLATs so as to increase their efficiency and to ensure fast data access. Also careful application of required minimal restrictions on cross- border data transfer will prove to be beneficial. India needs to focus more on developing laws of protection of data privacy in order to ensure rapid globalization.


Download PDF


Be the first to comment

Leave a Reply

Your email address will not be published.