Data localisation row in India: This is why global companies oppose proposal
The first and foremost — data localisation where the draft bill has suggested that personal critical user data will have to be processed and stored in India on a server or a data center located in India. The personal data may be transferred outside India, but at least one copy of the data needs to be stored in India. This provision is bound to create ripples across the global firms operating in India.
India has taken the first step towards creating a framework for data protection and privacy of users data. The first draft of the bill for data protection came out last week outlining measures to safeguard data and redressal mechanism in case of data breach, but experts have called for more consultations on the issue besides picking up grey areas in the framework.
The first and foremost — data localisation where the draft bill has suggested that personal critical user data will have to be processed and stored in India on a server or a data center located in India.
The personal data may be transferred outside India, but at least one copy of the data needs to be stored in India. This provision is bound to create ripples across the global firms operating in India.
Many startups and companies dealing with personal data will have to make an additional investment to comply with these norms.
Shweta Mohandas from the Centre for Internet and Society told DNA Money that most startups that have been using cloud services till now will have to spend more money in order to ensure that they comply with the provisions of the bill.
Mahesh Uppal, a telecom analyst, echoed similar views. “It will be an additional investment for startups and companies dealing in personal data and am sure they are not quite amused about it. Cost reduction is a major issue for them as well as business flexibility where they decide what suits them best in terms of location of data.”
“All these things — in the end are commercial decisions. Some companies may choose to lessen their exposure and some might spend willingly to take extra cost, depending upon the benefits,” Uppal said. Besides, there is no clarity on how critical personal data will be defined.
“Personal data that is considered as “critical personal data” shall only be processed in a server or data center located in India. This provision can be problematic as there is no definition of what “critical personal data” would include. This provision may make startups wary of working on products and services in sectors such as healthcare and fintech, where the data is already considered sensitive and has a potential to be considered as “critical personal data”, Mohandas adds.
Even the association for IT industry Nasscom along with Data Security Council of India expressed concerns over this provision of data localisation.
“Mandating localisation of all personal data as proposed in the bill is likely to become a trade barrier in the key markets. Startups from India that are going global may not be able to leverage global cloud platforms and will face similar barriers as they expand in new markets.”
Mozilla, the maker of Firefox browsers, in a blog says,”Notwithstanding the protections on processing in the interest of the security of the state, it’s hard to see that this provision (data localisation) is anything but a proxy for enabling surveillance.”
An expert panel headed by Justice B N Srikrishna, on Friday, submitted its report on data protection as well as the draft ‘The Personal Data Protection Bill, 2018’ after a year-long consultation process.
Other recommendations include setting up of a data authority, option of withdrawal of consent, penalties proposition and criminal proceedings for violations. It also suggested steps for protection of personal information and defined obligations of data processors and rights of individuals.
The report has come at a time when there are alleged reports of data leakage and misuse with respect to Aadhaar and breaches of data of Facebook users by data analytics firm Cambridge Analytica.
In May this year, the European Union General Data Protection Regulation (GDPR) also came into force under which all the firms had to adhere to the new regulations.
In the committee’s report, there are suggestions on consent which comprises personal data including sensitive personal data, exemptions which can be granted, grounds for processing data, storage restrictions for personal data, individual rights and right to be forgotten. It also has suggestions on rights of children, data protection authority and the right to recall data.
Many experts have criticised the committee’s report for not treating Aadhaar as an integral part of the whole data protection issues. Though the Supreme Court is looking into the entire Aadhaar case, there could have been wider details on it and data issues, although the committee has proposed some modifications in the Aadhaar Act, according to an expert.
Watch this Zee Business video
When asked about Aadhaar issue, Uppal says the committee should have delved deeper into it. “By treating these things in parts, it reduces the value of this report as nobody can argue that Aadhaar is not a key part of the privacy issue.”
Source: DNA Money