India to adopt data localization

The Global data protection wave is approaching the Indian shores as well. Different steps in the last few months indicate that the country is adopting mandatory local processing and storing of critical personal data.

According to government sources, first data localization requirement will be imposed on the ecommerce sector. Towards this, a draft ecommerce policy is prepared, and companies must keep critical personal data within the country.

The ecommerce policy draft is based on the proposed Data Protection Bill. The Bill says that “Every data fiduciary (any entity processing personal data) shall ensure the storage, on a server or data centre located in India, of at least one serving copy of personal data to which this Act applies.”

Data localization as a global trend

Data localization is the new trend in the internet world where there is borderless flow of information. In recent years, countries are instructing companies to keep critical data about consumers to be stored and processed within their domestic territories. Laws asking entities to keep data about citizens were enforced by several jurisdictions including the EU. As per the EU’s General Data Protection Regulation (GDPR), important data are to the stored within the EU territory.

The GDPR is now emerged as the model data protection law for several countries.

Most Data protection legislations are aimed to give protection to the privacy of individual’s data. At the same time, they contain provisions for national control over critical citizen information. Here comes the role of data localization clauses under the data protection legislations.

Data localization laws are regulations enforcing how data can be processed in a certain territory. Though the internet is a borderless world, where companies like Facebook, Google etc. would like to have a centralized store house for data without keeping data in individual countries; governments prefer the opposite.

India’s data protection legislation

The move towards data protection in India has been accelerated after the recommendations of an Expert Group on data protection, headed by Justice BN Srikrishna. The Committee brought out a draft Data Protection Bill along with its final report. Government is inviting public opinion about the Bill and is expected to introduce it in the Parliament soon.

Interestingly, the Bill’s origin is not just in the Srikrishna Committee Report. The Supreme Court in a historical verdict that is going to influence the character of the Indian society in August 2017 ruled privacy as a fundamental right. Since then, legislations were on the card for protecting privacy. Appointment of the Expert Committee on data protection was indeed a beginning.

The Srikrishna Committee necessitates companies to store a copy of a user’s personal data in the country. Hence the draft bill prepared by the committee also has several clauses regarding data protection and also gives enough attention to data localization.

The draft ecommerce policy incorporates Srikrishna Committee’s suggestion that the government would have access to data stored in India for national security and public policy objectives subject to rules related to privacy, and consent.

Data localization requires ecommerce firms like Amazon to keep consumer information in servers located in India. Here, the Amazon Web Service is a gigantic cloud-based server; but Amazon has to change its server policies in the context of legislative interferences. Similarly, most other players also have to go for Indian servers.

Beyond the ecommerce world, several difficulties may occur when the government extends localization requirement to social media platforms. Here, localization of social media data is not going to be easy and national restrictions may divide the internet.

*********