If you spent any time with a privacy wonk in India talking about data protection these past few months, the odds of having heard them mention “data localisation” are pretty high – with good reason. In the past year or so, data localisation has been a recurring theme in almost every key government policy with data governance implications.
Simply put, data localisation is the idea that the personal data of individuals in a particular country should be processed and stored in that country. Its corollary is that the transfer of data across borders should be disallowed, or restricted.
Data transfer restrictions have manifested in varying degrees across various government policies this past year. Earlier this month, Reuters reported that a government panel framing India’s cloud computing policy would likely recommend that data generated in the country must be stored locally. In end July, the news agency carried a report on a draft national e-commerce policy (see the draft later published by MediaNama here) that mandated similar restrictions on e-commerce and social media companies. These developments closely followed the release of the recommendations of the Justice Srikrishna Committee on Data Protection and a draft data protection bill that, when enacted, will spell out India’s overall data protection framework. The bill requires data fiduciaries (entities that control and make decisions about processing personal data) to store a copy of all personal data on a server or data centre in India. This means that data fiduciaries are free to transfer personal data across borders subject to the conditions laid down in the bill, but must maintain a live mirror of that data in India. However, this (restricted) freedom does not extend to a sub-set of personal data – critical personal data. Critical personal data, which the bill leaves to the Central government to define, must be stored and processed only in India.
When enacted, India’s data protection law will not be the first to recommend data localisation. In April, the Reserve Bank of India imposed a hard data localisation mandate on payment systems providers to store payment systems data only in India. Telecom sector localisation mandates are older still: barring limited exceptions, telecom service providers are not allowed to transfer user information and accounting information outside India.
Why and for whom?
The Srikrishna Committee wants to localise data for law enforcement to have easy access to data, to prevent foreign surveillance, to build an artificial intelligence ecosystem in India, and because undersea cables through which data transfers take place are vulnerable to attacks. The Reserve Bank wants data localised so it can have “unfettered supervisory access” to “ensure better monitoring”. The cloud policy panel seems to be driven by similar considerations, of ensuring that India’s law enforcement, investigation, and national security agencies have easy access to data. For the e-commerce task force, on the other hand, while national security and law enforcement access are relevant criteria, the larger motivation appears to be the growth of domestic innovation and firms, in turn leading to the growth of India’s digital economy.
Government considerations, particularly law enforcement access, appear to be common across the policies discussed above, and a key driver for India’s data localisation mandate. Through our analysis of all stakeholders’ responses to the Telecom Regulatory Authority of India’s privacy consultation paper, and some (publicly available) stakeholders’ responses to the Srikrishna Committee’s white paper, we learnt that not just industry but civil society too was against data localisation. Government inputs to both of these documents are not available publicly, but can be inferred based on other publicly available information, including statements by government officials.
While industry opposition to data localisation might appear to be the rule, there are at least two notable exceptions. PayTM, which started off as a mobile wallet but has since grown to occupy diverse market segments, including e-commerce, supported data localisation in the past, and continues to do so. Reliance Jio, also eyeing India’s lucrative e-commerce market, had come out in support of data localisation in its response to the telecom regulator’s privacy consultation paper last year. With a presence in many key sectors including payments, e-commerce and even data centres (Reliance Jio), both PayTM and Reliance Jio stand to benefit from a data localisation mandate. Data localisation will at the very least inconvenience their competitors, and impose additional compliance costs on them. As members of the e-commerce task force, which so far has excluded foreign players, both companies are well-placed to shape favourable policy outcomes.
Policy developments around data localisation are an excellent insight into the government’s thinking, and a handy indicator of what lies ahead. But, legally enforceable data localisation mandates can only be effected through laws made by Parliament (such as the data protection bill), or regulations framed by relevant ministries or regulators (such as the Reserve Bank localisation mandate). For laws and regulations to be valid, they need to be constitutionally sound.
Data localisation mandates raise at least two constitutional questions. First, does data localisation restrict the fundamental right of all Indian citizens to “practice any profession, or to carry on any occupation, trade or business”? This freedom is not absolute, and the state may restrict it in the interests of the general public. Whether data localisation mandates are in the interests of the general public may well be a question that courts are eventually asked to decide.
The second, and for me, personally, more interesting question, is whether data localisation violates an individual’s fundamental right to privacy. This right was recognised as being part of our Constitution by the Supreme Court in Puttaswamy versus Union of India almost exactly a year ago. The fundamental right to privacy includes an individual’s right to make her own decisions about what happens with her data. This right, like other fundamental rights, is not absolute, and the state is allowed to frame restrictions subject to certain conditions. This means that in some situations, an individual may not have absolute control over what happens with her data, and the state may make some of those decisions instead. Data localisation is one such example, where the state may decide that an individual’s data cannot be transferred overseas, even though the individual may have no objection to such a transfer. The guarantee of the Puttaswamy ruling, however, is that any restriction by the state on the fundamental right to privacy must fulfill a three-part test – it must be in furtherance of a legitimate state aim, backed by law, and be necessary and proportionate. Whether data localisation mandates fulfill this three-part test may also well be a question that courts are asked to decide.
Nehaa Chaudhari is a lawyer, and heads the public policy practice at TRA Law, an award-winning law and policy firm focused on startups and technology.