This article is written by Vishesh Gupta from the Institute of Law, Nirma University, Ahmedabad. This article discusses various Indian and International Laws for Data Localization. This article further analyzes various new digital technologies where cross border data transfers take place.

Introduction

In the modern world, the difference between the powerful and weak is not physical strength but the amount of data one possesses and the way one utilizes it. It is well known that knowledge is power. According to the ranking by Forbes, the most powerful people today are either the head of a nation or the CEO of the top-tier MNCs. All of these people possess an endless amount of data. The government has started realizing that data is power and that data is essential for national security. The shocking revelation from the Snowden case proves this. This case has given more eyes to the importance of data protection and has led to the rise of data localization. This article provides an exhaustive overview of data localization and analyzes the importance of data localization in the modern world. It further analyzes the current laws in India for data localization.

What is Data localization?

Data localization means physically storing and/or processing the data of a nation’s citizens within the jurisdiction of that nation. This is achieved by restricting or prohibiting the cross border transfer of data and subjecting the data to the laws of the nation where data is stored and/or processed. Data localization is the opposite of ‘digital globalization’, which refers to the free cross-border movement of data.

This is one of the most frequently debated areas of law. Countries like China, Australia, France, and Germany, have imposed data localization laws whereas the USA has been against it. One of the reasons for the USA being against it is because most of the information based MNCs like Google, Amazon, Facebook are located in the United States of America. 

Even in data localization, there is a degree of restrictions on the cross border transfer of data. China, for instance, imposes a blanket data localization where any personal data and important data procured in China, will have to be stored in China. On the other hand, Australia imposes data localization laws on health records only. 

Importance of Data Localisation

The reasons why data localization is considered an absolute necessity are:

• Protecting the fundamental right to privacy

In the Landmark case of Justice K.S. Puttaswamy (Retd.) & Anr v Union of India, 2017, the Supreme Court recognized the right to privacy of an individual as a fundamental right. Article 12 of the Universal Declaration on Human Rights and Article 17 of the International Covenant of Civil and Political Rights protects human’s right to privacy and state that no one can interfere with a human’s privacy

• Protection of data from foreign surveillance

This point can be explained through the Snowden case.

In 2013, a National Security Agency (NSA) consultant, Edward Snowden revealed a number of surveillance programs that the NSA conducted in cooperation with information based MNC’s. This cooperation with MNC’s allegedly granted the U.S. government agencies with direct access to communications data of global users, politicians, and various corporations. 

With all kinds of data received from MNCs which included data from cell phones, laptops, social media companies, skype, NSA built a detailed profile of targets and anyone associated with them. This was called “a pattern of life.”

Their surveillance was not limited to terror suspects. NSA was allowed to travel “three hops” from its targets.

1st Hop- Friends of the suspect. Around 43 people.

2nd Hop- Friends of friends. Around 3,975 people.

3rd Hop- Friends of friends of friends of friends. Around 1,328,361 people.

• Ensuring privacy protection of citizens.

Privacy of data is not only threatened by foreign surveillance, but even the MNC’s can also give access to third parties without the knowledge of the users and the government. The Cambridge Analytica controversy is an example of this point

Cambridge Analytica, a British political consulting firm used the data that was acquired from Facebook to build voter’s profiles and preferences and sold this to political campaigns. 

• Quick access to data when necessary

It is difficult to get access to data stored in other countries. Therefore, in times of necessity (national interest), if data is stored within the jurisdiction, the data can be accessed in a short time. Also, easy access to data when stored under the jurisdiction makes the companies collecting and storing this data, more accountable to the citizens of that jurisdiction.

• Subjecting Data to national laws of the country where data is stored

Not all countries have adequate legal order for the protection of data. Therefore, the nation whose data is being stored in different countries may impose data localization to prevent data from being transferred to such countries where laws for the protection of data are not adequate. Countries such as China and Russia have advocated the need for increased sovereign control over domestic cyberspace. 

Further, in criminal or civil cases filed against a corporate entity having its data located elsewhere, imposing national laws on the data (stored in a foreign country) of a country where the legal proceeding was initiated, would be difficult. Also, the countries where data is stored may refuse to cooperate. 

• Economic Benefits to the nation where data localization is imposed

For storing data, physical infrastructure is required. Therefore, data localization will accrue economic benefits for the local industry in terms of employment (for creating infrastructure). Another benefit relates to attracting investment, fueling innovation, and creating a competitive advantage for domestic companies. 

Disadvantages of Data Localisation

• Location of Data doesn’t affect the level of protection

The goal of achieving greater data security is not contingent on the location of the data, which is presumed in data localization measure, but rather on the underlying technical protocols and designs of infrastructure where data is stored. 

For instance, if the encryption system of a digital service is weak, the privacy of users can be compromised irrespective of the location of the server. 

• Protectionist Approach

The protectionist approach refers to government measures that are trade-restrictive and are made with the objective of protecting or shielding the domestic industries. Data localization can be challenged as being a protectionist approach as it puts a duty only on foreign companies to build infrastructure. This duty puts a financial burden on foreign companies. The burden of data localization is not faced by domestic companies.

• Economic loss to the companies

The requirement of data localization increases operational and compliance costs for the companies as they have to duplicate the infrastructure in all countries where data localization law has been implemented. 

Foreign companies bear a significant increase in costs to comply with different and stringent standards of privacy or security. However, this point is negated in the discussions because national security prevails over compliance costs.

• Negative Impact on the Economy of the country implementing data localization

Data localization requirements have led to a negative impact on GDP in several countries where such requirements have been imposed. Data localization measures are considered economically inefficient and even disruptive sometimes.

Relevant laws

Indian laws 

Public Records Act, 1993

Section 4 of the Public Records Act, 1993 prohibits the transfer of any public record outside the jurisdiction of Indian Territory, 

1. Without the approval of the Central Government 
2. If sent for official purposes, no approval of the central government is required.

Information Technology Rules, 2011

As per Section 87 of the Information Technology Act, 2000, the Central Government issued Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011.  

Rule 7 of IT Rules, 2011 allows the cross-border transfer of sensitive personal data by body corporate to those countries that ensures the same level of data protection that is expected under the IT Rules. Cross border transfer is only allowed in 2 cases:

1. Performance of a lawful contract between the body corporate and the person whose data has been transferred. OR
2. If the person has consented to the data transfer.

The Companies (Accounts) Rules, 2014

The proviso of Rule 3(5) of the Companies (Accounts) Rules, 2014 mandates a company to keep a back-up of the books of accounts and other books, which are maintained in India or outside India, in servers physically located in India on a periodic basis.

Agreement For Unified License, 2014

In the license agreement between telecom service providers and the government, Clause 39.23(viii) puts a duty on the licensee to not transfer accounting information of the subscriber(except for international roaming/billing) and the user information (except pertaining to foreign subscribers) outside India. 

RBI Notification

Reserve Bank of India issued a notification in 2018 under Section 10(2) read with Section 18 of the Payment and Settlement Systems Act, 2007.

The Notification mandated all the system providers, that are payment banks like Mastercard, Visa, to store all data relating to payment systems in India only and set a limit of 6 months for system providers to comply with the Notification and thereafter submit a compliance report to the RBI.

Data relating to payment system included:

1. Full end-to-end transaction details.
2. Information collected/carried/processed as part of the message/payment instruction.

The purpose behind this was to ensure better monitoring by having unfettered supervisory access to data stored.

RBI issued clarifications on implementation issues sought by Payment System Operators (PSOs) on the ‘Storage of Payment System Data’ regulations. 

This clarification stated that payment data can be processed outside India, however, it has to be deleted after processing and has to be transferred back to India for storing data within a business day or 24-hours, whichever is earlier. This move has been criticized on the grounds:

1. It is difficult to track whether data, in foreign soil, has been deleted or still stored. 
2. Data is subject to the laws where it is transferred. Therefore the law enacted in India cannot direct the usage of data in foreign jurisdictions.  

Companies like Paytm, Airtel, PhonePe have welcomed the decision whereas companies like Mastercard, Visa, Facebook, and Amazon have shown dissent. 

Centre of Information Privacy leadership (CIPL) has suggested creating ‘data mirroring’ options and creating ‘multilateral and bilateral instruments’ for data sharing. They contend that this Notification is a trade barrier and will spoil the “Digital India” initiative. However, no repercussions have been laid out for companies that do not follow the Notification.

The Personal Data Protection Bill, 2019 

The Personal Data Protection Bill, 2019 (“The bill”) was introduced in the Lok Sabha in the winter session of the Parliament by the Ministry of Electronics and Information Technology. The bill has been referred to the Standing Committee for review. 

The bill was based on the Data protection committee report, 2018 which was drafted by the Data Protection committee headed by Justice Srikrishna (Retd.).

The Landmark case of Justice K.S. Puttaswamy (Retd.) & Anr v Union of India, 2017 where the Supreme Court held that the right to privacy is a fundamental right, is the source of inspiration for the Personal Data Protection Bill, 2019. The Preamble of the Bill recognizes the right to privacy as a fundamental right that aims to protect the privacy of the citizens

The bill also proposes data localization laws for furthering the data protection of Indian citizens and is broadly based on the principles of the General Data Protection Regulation, 2016 (GDPR) (implemented in 2018) which is the data protection law enacted in the European Union.   

Key Terms

Personal Data: as elucidated in Section 2(28) of the Bill, means data about a natural person who is directly or indirectly identifiable, by recognizing characteristics, traits, attributes, or any other feature of the identity of such a natural person.

As mentioned in Section 2(36) of the Bill, Sensitive Personal Data means any personal data which constitutes financial data, sexual orientation, health data, official identifier, sex life, biometric data, genetic data, transgender status, intersex status, caste or tribe, religious or political belief or affiliation or any other data categorized in Sec 15 of the Bill.

Data fiduciary: as defined in Section 2(13) of the Bill, means any person, including the State, a company and any juristic entity who determines the purpose and means of the processing of personal data. 

Data principal: according to Section 2(14) of the Bill, includes the natural person to whom the personal data relates.

Data processor: as per Section 2(15) of the Bill, means any person, including the State, a company, any juristic entity who processes personal data on behalf of a data fiduciary.

Transfer and processing of Data

There is no data localization or cross border restrictions for personal data. There is a free cross-border flow of personal data from India to other countries. 

There is a localization requirement for sensitive personal data. Sensitive personal data, as per Section 33(1) of the Bill, has to be necessarily stored in India only. 

However, it may be transferred outside India for the sole purpose of processing, only when certain conditions are met:

1.If the transfer is explicitly consented to by the individual whose data is being transferred

2.If the transfer is in pursuance to contract or intra-group scheme approved by the central authority. The intra-group scheme shall only be selected if the scheme has provisions

for effective data protection

liability of the data fiduciary for non-compliance. 

3.If the transfer is allowed by the Central Government, after consultation with the Authority, after finding that the:

sensitive personal data shall be subjected to an adequate level of protection in the country where the data is transferred.  

The transfer does not prejudicially affect the laws of the jurisdiction.

4.If the transfer is for a specific purpose.

The draft of the bill had also contained the provision of storing the copy of data in India which was done away with in the Bill, 2019.

The bill introduced a new type of data named critical personal data which can be only processed in India. Critical personal data, as defined in Section 33(2) of the Bill, is any personal data which is notified by the Central Government to be critical personal data. 

As per Section 34(2) of the Bill, the Critical Personal Data can be transferred outside the territorial jurisdiction only when such transfer is to:

• anyone engaged in the provision of health services or emergency services where such transfer is necessary for prompt action under section 12.

 OR 

• a country or, any entity or, to an international organization, where such transfer in the opinion of the Central Government does not prejudicially affect the security and strategic interest of the State. 

Data Protection Authority of India

The Bill sets up a Data Protection Authority under section 41, which may as per Section 49 of the Bill:

1. Takes steps to protect the interests of individuals
2. Prevents the misuse of personal data
3. Ensures compliance with the Bill.

Draft national e-commerce

The Draft National e-Commerce Policy (“Policy”) doesn’t impose strict data localization measures. It does not require storing of data in the territorial jurisdiction of India.

Instead, it imposes restrictions on cross-border transfer of sensitive data of customers by e-commerce based companies. The draft proposes that any sensitive data stored outside India shall not be made available to any 3rd party or foreign government irrespective of the consent of the customer. In case of giving data to a foreign government, data can be given but with the prior permission of the Indian Authorities.

The Draft National e-Commerce bill has not been ratified yet and according to Piyush Goyal, the provisions of cross-border transfer of data will be removed from the E-Commerce Bill because it has already been covered in the pending Personal Data Protection Bill, 2019. 

International agreements 

General Agreement on Trade in Services

GATS is the treaty of the World Trade Organization (WTO) which was entered into force in January 1995. The treaty provides a multilateral framework of principles and rules for trade in services with a view to the expansion of such trade, in the same way, the General Agreement on Tariffs and Trade (GATT) provides such a system for trade of goods.

There is no explicit law on data localization in WTO law, however, data localization measures are considered violative of GATS market access commitment and national treatment commitment in certain cases. 

Introduction

In GATS, there are 4 modes of Supply which are as follows:

1. Cross border supply- supply of service from one territory to another 
2. Consumption Abroad- supply of service in the territory of one Member to the service consumer of any other Member
3. Commercial presence- supply of service by a service supplier of one Member, through commercial presence in the territory of any other Member.
4. Presence of National Person 

The countries that are signatory to GATS have to maintain a schedule of specific commitments as per Article XX of GATS. A specific commitment is an undertaking to provide market access and national treatment for the service activity in question on the terms and conditions specified in the schedule for different modes of supply.

Market Access Commitment 

Market access commitment, as per Article XVI of GATS, means that a member of WTO shall not treat other members less favourably than provided in their schedule of specific commitment. For Example, If country A has provided full freedom in the service sector of telecom (by inscribing “none” in their schedule of specific commitment for the telecom sector), country A cannot impose any regulation on any company (whether national or foreign). If they impose any regulation it will be considered as a violation of market access commitment.  

Data localization measures limit cross border trade in ‘data-base services’ and ‘data processing services’ by restricting data transfers across borders. Therefore, if any country has provided full freedom in their schedule of specific commitment for database services (by inscribing “none”), then imposing data localization laws is a violation of the market access commitment under Art XVI:1 and XVI:2(c). However, if a country has specified in their commitment that they can impose data localization, then they are allowed to impose it. 

National Treatment Commitment 

National Treatment commitment under Article XVII of the GATS prohibits Members from discriminating in favour of their domestic companies only if they have inscribed none in their schedule of specific commitment. 

Data localization measures accord less favourable treatment to foreign companies as they have to build infrastructure in the country imposing localization measures and the local companies do not incur such cost, therefore, according to less favourable treatment to foreign service suppliers.  

Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP)

The Comprehensive and Progressive Agreement for Trans-Pacific Partnership is a free trade agreement between 11 countries. CPTPP prohibits ‘localization requirements’ that would force businesses to build data storage centres or use local computing facilities in the CPTPP market. However, this agreement is not a universal law as it is binding on the 11 signatories countries only.  

New Digital Technologies

National Digital Communications Policy:-2018 recognized various new digital technologies to help India improve its digital space until 2022. All these technologies contain a lot of personal and sensitive personal data and therefore are governed under Sec 43A of the Information Technology Act. Sec 43A puts a duty on body corporate who possess, deal or handle any sensitive personal data or information to ensure adequate protection of such information. 

CryptoCurrency 

To study issues related to virtual currencies in India, the Central Government constituted the Inter-Ministerial Committee on Virtual Currencies. It was headed by finance secretary Subhash Chandra Garg.

In the report they submitted, they focused on the point that data localization should be implemented carefully in the case of virtual currencies because data localization norms under the Data Protection Bill may create obstacles in the effective adaptation of Distributed Ledger(DLT). This is because, in DLT, data is stored in different places. Restricting all data in one place will adversely affect the ability of Indian manufacturers and consumers to get the benefit of DLT such as global supply chains, more security to data, and international services infrastructure. 

Cloud Computing

The concept of cloud computing and data localization are two ends of one spectrum. Data localization at one end advocates for storing all the data in one place whereas cloud computing is all about storing and processing data from remote data centres via the Internet. These two are considered as alternatives to each other. 

The point of protecting privacy by enforcing data localization laws is negated by the benefits of Cloud Computing. In Cloud Computing, data is stored at different places making it hard to trace the data and tamper with it. 

MeghRaj 

The government started the GI Cloud initiative which has been named as ‘MeghRaj’ which was designed to promote the use of cloud services by the government. Even cloud computing has been localized. For setting up data centres for cloud, the facilities and the physical and virtual hardware should be located within India. Even the Network Operation Centres and Security Operation Centres shall be located within India. 

MEITY Guidelines for Government Use of Cloud Services

The Ministry of Electronics and Information Technology (MEITY) issued guidelines in 2017 for the setting up of IT infrastructure by the Indian Government using cloud computing technology. However, according to the terms and conditions of the Empanelment of the Cloud Service Provider, data will have to be necessarily stored in India to reside in India.

Telecom Regulatory Authority of India Recommendations On Cloud Services

In 2017, TRAI released a recommendation on Cloud Services:

1. A ‘light touch’ approach can be adopted to regulate cloud services.
2. All the cloud service providers (CSP) that are above the threshold prescribed by the government have to become a registered member of the registered industry body.
3. The CSP also has to accept the code of conduct prescribed by such an industry body.
4. Instituting a Cloud Service Advisory Group (CSAG) to act as an oversight body to oversee cloud services in India and suggest actions to the Government for the betterment of cloud service in India.

Internet of Things

We are all surrounded by some kind of technology that is connected to the internet. Ranging from something like a phone to a traffic signal to even cars. All these different technologies are interconnected and they collect our data and share it on a platform known as the Internet of Things (IoT). IoT is an ecosystem that connects every digital gadget through the internet. It collects data from different sources and processes it. It improves user experience or the performance of devices and systems according to the data. In IoT, there is a machine to machine interaction without any human intervention. 

The data collected by various gadgets also includes personal as well as sensitive personal data of the users such as bank account details, blood group of an individual, etc which are available at the IoT platform which is virtually omnipresent and is not considerate of territorial jurisdiction and this raises the concern of privacy.   

The Draft National e-Commerce policies have the objective to regulate cross border data flow while enabling sharing of anonymized data which includes data collected by IoT devices installed in Public spaces like traffic signals or automated entry gates.

                  

National Digital Communications Policy – 2018 

The National Digital Communications Policy-2018 (NDCP-2018), approved by the Union Cabinet, is the new telecom policy that aims to facilitate India’s effective participation in the global digital economy.

The policy further aims to ensure digital sovereignty and the other objectives to be achieved by 2022.

This policy is considered forward-looking as it looks to safeguard the data of the citizens without imposing data localization laws. One of the missions of this policy is to utilize the power of emerging digital technologies, which includes 5G, Artificial Intelligence, Internet of Things, Cloud and Big Data, and to establish India as a global hub for cloud computing. 

Conclusion

There is an abundance of data in today’s world. Adding to this, data transfer from one country to another takes seconds. Most types of data can be easily copied without the knowledge of the owner of the data (even encrypted data).

Because of these factors, determining the location of data and ensuring the privacy of data seems improbable. Keeping track of what kind of data is being transferred is also difficult to maintain. Data localization is one of the solutions for keeping track of data, however, for ensuring privacy, alternatives like cloud computing are more apt. However, this article remains neutral on the validity of data localization laws. 

Analyzing the law on data localization in India, the Personal Data Protection Bill, 2019 has been widely criticized for giving too much power to the central government. Many MNCs have lobbied against the bill. Now analyzing the country that is imposing such laws, the infrastructure and the regulatory system for the protection of data in India are still developing. Imposing a volatile data localization law in a country that is still evolving in data protection is not the ideal case. 

Still, even if the data localization law is imposed, it should be imposed carefully and the main objective of the authority in power should be to protect the data of its citizens rather than misusing it.

---

LawSikho has created a telegram group for exchanging legal knowledge, referrals and various opportunities. You can click on this link and join: