Last year, in conversation with historian and author Yuval Noah Harari, Mark Zuckerberg had expressed that he understands the growing demand for data localization from the Indian voices. However, he also emphasized that meeting such demands could institute dangerous examples in other countries where there is a high chance of data abuse.
But what is Data localization?
In the Indian context, data localization means that companies that collect critical customer data can store and process such data within the Indian borders. Reserve Bank of India’s (RBI) asked companies to localize sensitive data which made tech majors like Paytm, WhatsApp, and Google change their data storage locations to India by October 15 2019. However, currently, no fines or penalties are being imposed on non-complying companies who missed the deadline.
In an article published on Mondaq, data localization can also be defined by its effect viz., strict or conditional. The former includes requirements of local storage or processing of data; in extreme cases, a complete ban on transferring the data abroad. For conditional restrictions, the transfer of the data is made subject to the satisfaction of conditions. These conditions may apply to the persons undertaking the transfer (such as the need to obtain the individual’s prior consent) or to the transferee country where the data is being sent.
- The narrative around data protection in India began during K.S. Puttaswamy vs. Union of India (2017) Right to privacy case. In a landmark verdict, a nine-judge bench of the Supreme Court of India acknowledged the right to privacy as a fundamental right. During the case, the Indian government set up an expert committee to devise India’s data protection framework. This committee was known as the Krishna Committee as it was headed by the former Supreme Court judge B.N. Srikrishna. After a public consultation on a white paper, the committee submitted a draft Personal Data Protection Bill and an accompanying report interestingly entitled “A Free and Fair Digital Economy: Protecting Privacy, Empowering Indians.” Later, the Personal Data Protection Bill (PDP) was tabled in Parliament’s Lok Sabha by Information and Technology Minister Ravi Shankar Prasad in the last session held on December 6, 2019.
- Meanwhile, India, along with countries like South Africa and Indonesia, chose not to sign the declaration on Osaka Track because it would undermine the core WTO principles for arriving at consensus-based decisions. The Osaka Track aimed to get rid of data localization policies and facilitate the free flow of data to boost multilateral digital trade during the 2019 G20 summit.
- Furthermore, localization restrictions have also been placed on payment data. On April 6, 2018, the Reserve Bank of India (“RBI”) issued a circular12 mandating all payment system providers to store payment data locally only in India. It was done as RBI wanted to have unfettered supervisory access, to ensure better monitoring and protect consumer interests. This prompted companies like Visa, MasterCard, and American Express to lobby New Delhi in an attempt to explain why more time was needed to implement the new rules. Ultimately, Visa and MasterCard complied while still seeking relaxation from the RBI.
The critical driving ideas behind all these were to secure individual rights, widen the tax base, to have Nation Security and Law Enforcement, lastly, to protect the nation’s economy.
What does it mean for the Indian Market?
For starters, the local storage of data will reduce network latency and improve speed. As a result business brand can expect the availability of quality talent at a lower cost with all data getting stored locally. Plus due to factors like growth of user data, e-commerce, growth of cloud provide additional benefits. Some of the latest providers with resource ownership will be able to build massive capacities of data centers at much higher scalability and quality but at much-reduced costs and round-the-clock personal service.
Big Basket, the online grocery store shifted its data center from Singapore to Mumbai and noticed up to 10 percent improvements in transaction efficiency.
In addition to that, the data center business in India is witnessing companies like Reliance Industries, Adani Group, and the Hiranandani Group enter this space. Even hyper-scale providers like AWS, Microsoft Azure, Google Cloud, etc. are participating for collaborations or have announced multiple B2B partnerships.
What does it mean for the USA?
Post the introduction of the Data Protection Bill; the global business community has expressed discontent over certain aspects of the proposed legislation. The USA claimed that the bill puts restrictions on ease of doing business in the country concerning the exchange of data in digital commerce, I.P., and global payments. Some officials also expressed their fear that international companies are being forced by the Indian government to set up redundant data centers, thus hampering India’s prospects of investments. They argue that the bill should have sought to secure the data instead of localizing it. Apart from it, since the bill is considered as a mirrored version of the European Union’s General Data Protection Regulation (GDPR), the USA largely views the protection of online data and information as less the government’s responsibility than, for example, many counterparts in the European Union.
U.S.-India Business Council President NishaBiswal criticized the supposedly privacy-focused bill for reaching into other areas, such as liability of social media intermediaries. According to her, this should have been handled in separate legislation.