News & Analysis

Data Localization Takes Back Seat


Having presented data localization as a means to boost economic growth and help easier access during legal investigations, the government now appears to be fine with allowing transfer of data and its storage to other countries. A media report says, the revised data protection Bill is okay to shift data to “trusted geographies”. 

Readers would recall that in 2019, the government had introduced a data protection Bill in the Parliament that proposed India’s first economy-wide data localization framework. It was followed by sector-specific data localization measures in areas such as telecom as well as payment gateways as mandated by the Reserve Bank of India. 

However, now a report in the ET quotes unnamed sources to suggest that the data localization requirement is being done away with and the government would decide on the geographies that could be trusted from time to time. In addition, it says that criminal penalties proposed on enterprises involved in data breach are also being scrapped in the redrafted Bill. 


What are the changes likely?

The proposed Bill, which could be made available for publication later this week, is suggesting imposition of penalties to the tune of Rs.200 crore, multiplied by the number of users impacted on every breach. These decisions would be taken by a Data Protection Board that would be set up under the Bill to adjudicate on such data breaches and its impact. 

So, what’s causing the government to back-pedal on this issue? Could it be that the pressure that some of the big tech companies had put over the last year, which eventually resulted in the government recalling the original Data Protection Bill and coming up with a redraft? Or are there valid reasons that did not appear on the horizon when they decided on the provisions? 


IT minister believes that all is well

Meanwhile, Union Minister of State for Electronics and IT Rajeev Chandrasekhar said via his Twitter handle that the new Bill would end “misuse of customer data violates privacy and data protection expectations”. 

Chandrasekhar referred to Google’s $392-million settlement and said India’s Digital data protection bill would also end such practices. India’s #DigitalDataProtection bill will put a stop to this – & ensure that any Platform/Intermediary that does this will face punitive & financial consequences, he tweeted. 

Readers would also recall that the Data Protection Bill was withdrawn in August after five years of drafting. Even the nomenclature has been changed from Personal Data Protection Bill to Digital Data Protection Bill, which means the new draft may also remove provisions that related to regulating non-personal data and social media. 

At the time of the Bill’s withdrawal, IT Minister Ashwini Vaishnaw had said the revised Bill would contain a comprehensive digital legal framework for the country as well. This could perhaps explain the shift in stance, given that criminal penalty, non-personal data and social media regulations had become the contentious clauses from big tech companies. 

The original Bill had 81 suggestions for amendments and another 12 for modifications from the joint parliamentary committee that reviewed the draft for nearly two years. In fact, these numbers prompted the government to withdraw the original Bill and inform Parliament then that a redraft would be made available soon. 

On the earlier occasion, the government had pursued data localization for four reasons. These include securing faster and better access to personal data for law enforcement, increasing economic growth and boosting employment, preventing foreign surveillance and ensuring better enforcement of data protection laws. 

A research report by Carnegie India suggested that two of these objectives, viz., preventing foreign surveillance and ensuring better enforcement of data protection would not be fulfilled by data localization. It said the best way to make legal data claims was to directly establish regulatory jurisdiction. The report also claims that data localization and data access cannot be equated. Localization policies premised on the mistaken assumption that they can be are not likely to serve their purpose and may result in unintended costs. 


Leave a Response