The central government must take some “concrete steps” to ensure that a mirror copy of Indians’ data already in possession of foreign companies is mandatorily brought back to the country in a “time-bound manner”, according to a recommendation made by a Parliamentary panel on the data protection bill in a draft report.
To be sure, the current version of the data protection bill that this Joint Parliamentary Committee (JPC) has been deliberating upon since 2019, mandates mirroring of sensitive personal data of Indians, such as financial data, health data, genetic data and sexual orientation data among others, during cross border data transfers.
The committee’s recommendation, however, takes that one step further. The JPC is of the opinion that Indians’ sensitive and critical personal data that is “already” in possession of foreign firms and is stored on servers overseas should be mirrored in India.
What makes matters worse is that critical personal data is not even defined in the current bill and it has been left to the discretion of the government to define what such type of data would be, potentially leading to uncertainty in the proposed localisation regime.
“Consequent upon the building up of proper infrastructure and establishment of Data Protection Authority, the Central Government must ensure that data localisation provisions under this legislation are followed in letter and spirit by all local and foreign entities and India must move towards data localisation gradually,” the draft report which was read out to Entrackr states.
It is worth noting that this is a recommendation made in a draft report by the JPC which is currently confidential and could change in the final version which is expected to be readied later this month.
Sectorally, the Reserve Bank of India already has strict data localisation norms for payments companies and recently barred Mastercard from onboarding new domestic customers—debit, credit or prepaid—onto its card network in India for violating those norms.
If the JPC’s recommendation is accepted, it would increase the compliance burden for major foreign tech companies, far beyond just payments firms, many of whom have already lobbied against localisation as mentioned in the bill.
BSA, the software alliance, which counts companies like Microsoft, Salesforce and Amazon Web Services among others as members, had last year said that data localisation will increase the cost of doing business in India and significantly increase compliance burden.
Instead, BSA had said, the government should recognise internationally accepted mechanisms for cross border data transfers to increase accountability of such exchanges.
The government has in the past rallied in support of data localisation, claiming that Indians’ data ought to be stored in India so that they can have greater control over how companies use it. Data localisation, as per the government, is a pro-privacy mechanism.
Civil society activities and privacy practitioners, however, have opined otherwise. They believe that storing data in the country means that the government and law enforcement agencies have easier access to it, triggering fears of increased state-sponsored surveillance.
The Delhi-based digital rights advocacy group Internet Freedom Foundation had earlier argued against mandating data localisation.
“Free flow of data, with adequate safeguards to ensure that data protection rights apply to the data of Indians no matter where it may be transferred truly protects privacy in our internet age while also helping make India a valuable player in the globally networked trade regime,” the organisation had said.
‘Prepare an extensive policy on data localisation’
The JPC, in its draft report also recommended that the government must prepare a policy on data localisation which includes aspects like development of adequate infrastructure for the safe storage of data of Indians, introduction of alternative payment systems and inclusion of the system that can support local business entities and startups to comply with the data localisation provisions.
“The Committee also desires that proper utilization of revenue generated out of data localisation may be used for welfare measures in the country especially to help small businesses and startups to comply with data localization norms,” the JOC draft report on the data protection bill reads.
More from our coverage of the JPC’s draft report: