Laws for privacy in India and other countries

 The provision on data localisation is also one of the most contentious. The original 2018 bill had a blanket data localisation provision that was severely critiqued. In subsequent versions of the bill, this was relaxed a bit because of heavy pushbacks from other countries. The Data Protection Bill of 2021 now provides for soft localisation, requiring the mirroring of sensitive personal data and mandatory local processing for critical data. In other words, it permits the transfer and storage of sensitive personal data outside India, provided that a copy is stored locally.

Sensitive personal data includes data relating to health, religion, sex life, political beliefs, biometrics, genetics, finance, etc. Such data can be transferred outside the country if certain conditions are met – exactly along the lines of the GDPR’s adequacy mechanism. However, there is a bar on the transfer of critical data outside the country. It must be processed and stored exclusively in India. But the precise definition of critical data is awaited. Hence, there is not enough clarity as to what kinds of data it would cover.

The government has given quite a few reasons as to how data localisation would be beneficial for India. India is a huge data market, a large amount of India’s data is physically stored on servers located in the US, Ireland, etc. Mandating local storage would lead to the emergence of large-scale data centres in India, thereby aiding employment generation locally. It is believed that boosting the country’s overall IT or data infrastructure in this manner would fuel economic progress and help make India a global data processing hub.

While this protectionist vision on cross-border transfers of data seems to be good, the calculation of net benefits is important before implementing it. To ascertain if this regime would produce net profits or not, it would be crucial to assess if it would risk losing a considerable number of foreign businesses that offer data-based services in the country due to the added burden of complying with data localisation requirements. And the possibility of retaliatory actions by foreign governments against Indian companies should also be factored in.

Better law enforcement is another advantage which is touted by many. Enforcement agencies in India face constraints in accessing data stored in other jurisdictions. For instance, if a serious crime is committed and investigated in India, and critical evidence lies with some US-based service provider, the government would have no option but to use the data gathering mechanism provided under the India-US Mutual Legal Assistance Treaty (MLAT), which is quite cumbersome.

The US government seeks a court order before accepting a MLAT request from India. A US court determines if the Indian request satisfies relevant legal requirements under US law before passing the order accordingly. Once the order is granted, the US service provider produces the requisite data and shares it with the US Department of Justice to review for legal compliance before finally releasing it to India.