Regulating flow of data across national borders is increasingly viewed as an essential mechanism for implementing national data protection and privacy laws extraterritorially. Most jurisdictions impose conditions on when and how data can be transferred (commonly called as data export restrictions) and very few resort to physical data localization requirements.1 Data localization is commonly understood as regulatory and policy efforts requiring some or all aspects of personal data processing to take place in a particular jurisdiction.
Governments looking at imposing localization requirements are motivated by a variety of reasons – citizen’s privacy, data security, corporate accountability, national security, protecting local businesses, checks on freedom of speech, and surveillance. Some jurisdictions like Russia have enforced localization requirements with rigour. In 2016, a Russian court of appeal ruled that professional social network LinkedIn was in violation of the data localization requirements. Consequently, the site was blocked and approximately 6 million users overnight no longer could access the site.2 At the same time, localization can result in segregation of internet, act as entry barriers for new technology and businesses, increase network latency, hamper user experience, affect robustness of network security, and raise infrastructure and resource costs for companies. Some critiques have also urged that localization could in fact endanger privacy. For instance, where a breach incident happens, it is prudent to port the data to a safer location in order to mitigate the risks, which cannot take place where governments force localization. In similar vein, where organizations are forced to store their data in a particular jurisdiction, there will be bifurcation of their limited network security resources and lesser economies of scale, resulting in additional points for security failure and privacy breach.
Amidst all the practical difficulties and the adverse impact that physical localization may have on privacy and digital economy, India’s Personal Data Protection Bill, 2019 (2019 Bill) proposes data localization for certain kinds of data. This post aims at analysing the proposed Indian framework and its implications.
1. Existing framework: The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data) Rules (IT Rules) provide the conditions for transferring personal and sensitive personal information. It states that any body corporate or its agency can transfer personal information within or outside India provided:
- the transferor ensures that the transferee affords same level of data protection as the transferor provides under the IT Rules; the IT Rules mandate entities to (i) put in place comprehensive, documented and reasonable information security policies that contain managerial, technical, operational and physical security control measures commensurating with the information assets and nature of business, and (ii) implement them;
- information transfer is necessary for performance of the lawful contract between transferor and the information providing individual; and
- the information provider has consented to the transfer.
Additionally, in 2018, the Reserve Bank of India under the Payment and Settlement Systems Act mandated banks and payment system operators to store all end-to-end transaction data strictly in India, even where the data is processed abroad.3 It required them to ensure compliance within 6 months in such manner that transaction data at all times only remains in India. Reserve Bank’s data localization requirements has received criticism from international financial service providers who have been obligated to incur substantial costs for complying with the storage requirements. Based on the above conditions, it can be gathered that currently, personal and sensitive personal information is freely transferable without any localization requirements, except payment systems’ end-to-end transaction data.
2. PDP 2018: The draft Personal Data Protection Bill 2018 (2018 draft) contained stringent data localization and cross-border transfer requirements. Under the 2018 scheme, data fiduciary had to store at least 1 serving copy of personal data on an Indian server or data centre. Further, the central government could notify special categories of personal data as “critical data” that could not be processed in any manner outside India. However, the 2018 draft remained silent on what considerations government will factor for classifying critical data. Alongside the localization requirements, the 2018 draft proposed cross-border transfer with consent from the data principal through the following alternative models:
- transfer in accordance with standard contract clauses, or intra-group schemes as approved by the Data Protection Authority (DPA), provided the contract or scheme ensures protection of data principal’s rights and the transferee undertakes compliance therewith;
- transfer to another country, or to a sector within a foreign country, or to an international organization that has been considered adequate by the central government in consultation with DPA factoring foreign transferee’s data protection means, applicable laws, and enforcement mechanisms (commonly understood as adequacy decisions);
- transfer for necessity as approved by DPA.
The 2018 draft’s localization requirements garnered censure from all corners. While the government rooted that the underlying objective was to achieve better privacy safeguards for a principal’s personal data and expedite enforcement mechanism, stakeholders viewed the restrictions as an attempt to increased state surveillance, data sovereignty, and greater costs for doing business in India. Additionally, based on the experience of regulators and players in other jurisdictions, adequacy decisions are mostly bilateral cooperation exercises between countries, where varied factors such as rule of law, access to justice, human rights enforcement regime, state of relevant laws and criminal justice system are considered. As a result, arriving at adequacy decisions can stretch over years. Besides, international experience also indicates that developing standard contract clauses, or binding corporate group schemes take substantial time. In essence, the 2018 draft proposed an excessively regulated ecosystem for cross-border data transfer.
3. PDP 2019: In wake of the stern opposition to localization proposals, 2019 Bill limits the restrictions. Clause 33 of the 2019 Bill provides 2 fold localization requirements:
- sensitive personal data can be transferred and processed outside India subject to certain conditions, but must be stored in India; and
- critical data can only be processed in India, except that critical data can be transferred cross-border only in rare circumstances as explained in the subsequent paragraph.
With the revised proposal, personal data which is not sensitive or critical no longer needs to be localized. However, the 2019 Bill still does not clarify the scope or essential guidelines for grouping data as critical data. This gives the central government unfettered power to classify any data as critical. Further, sensitive personal data is widely defined under the 2019 Bill. Sensitive data apart from including financial, health, genetic, biometric data, official identifiers, sex life, sexual orientation, transgender status, intersex status, caste or tribe, religious or political belief, will also include the set of personal data that “may reveal, be related to, or constitute” the above categories. This essentially and practically can render all personal data as sensitive. For example, a person’s name though per se does not qualify as sensitive, her last name could reveal caste, thereby making name a sensitive data. Furthermore, the central government in consultation with DPA and concerned regulators, notify additional categories of sensitive personal data. Therefore, while it appears that localization proposals have been revamped, in reality, organizations still may have to store vast volumes of data as sensitive data in India.
The 2019 Bill also stipulates restrictions on cross-border data flow. It states that sensitive data can only be transferred outside India, if explicit consent has been obtained from the principal and transfer is through any 1 of the following methods:
- DPA approved contract or intra-group scheme;
- countries or sectors or organizations with adequacy decisions from the central government;
- for any specific purpose as allowed by DPA.
These conditions are mostly similar to the 2018 draft (as explained at paragraph #2 above), although the 2019 Bill does not mandate these conditions for cross-border transfer of personal data. However, as analysed in the previous paragraphs, arriving at adequacy decisions, developing contract clauses or intra-group schemes will take time, and with the high likelihood that any data can qualify as sensitive data, organizations will have to comply with the transfer requirements for all data sets. Apart from the conditionalities for transfer of sensitive data, the limited circumstances where critical data can be transferred include (i) transfer for health services, emergency, or any prompt action, or (ii) transfer to a country with adequacy decision, provided the transfer in central government’s opinion does not prejudice India’s security and strategic interest. Where critical data is transferred, the fiduciary must notify the DPA about the transfer in such manner as may be prescribed by DPA.
4. EU requirements: EU General Data Protection Regulations (EU GDPR) provide for a tiered structure on how personal information can be transferred to other jurisdictions outside EU and European Economic Area.
- Firstly, it permits transfer to foreign countries recognised as adequate jurisdictions by European Commission.
- Secondly, transfer to other jurisdictions sans an adequacy decision is permitted, if the controller or processor ensures that there are effective remedies for data subject’s rights and there are adequate safeguards. Adequate safeguards can be provided through (i) binding corporate rules (similar to intra-group schemes under the 2019 Bill), (ii) standard contractual clauses executed with the recipient, or (iii) approved code of conduct or certification mechanisms (like EU-US privacy Shield 2016 which allows flow of EU data through a certification mechanism as approved by EC and US government).
- Thirdly, where the adequate safeguards are not possible, transfer is allowed if it is (i) with data subject’s explicit consent, (ii) necessary for performance of contract or pre-contractual measures, (iii) essential for conclusion or performance of a contract executed with third party in data subject’s interest, (iv) necessary for public interests, (v) establishing or defending legal claims, (vi) necessary to protect data subject’s vital interests where data subject is incapable of consenting, or (vii) from a register intended to provide information to the public.
Lastly, EU GDPR as an overarching exemption to all export restrictions stated above, allows transfer if it is (i) not repetitive, (ii) concerns only limited data subjects, (iii) necessary for compelling legitimate interests which do not override data subject’s rights, (iv) controller after considering all aspects has provided suitable safeguards, and (v) the supervisory authority as well as the data subject have been informed about the transfer and legitimate interest pursued.
Based on the above description, it is inferred that EU GDPR does not provide for any physical localization requirements. It does not provide special data categories that must be localized. Contrary to the 2019 Bill, EU GDPR provides similar protection for all kinds of personal data in the context of data export and provides for various alternatives to transfer data.
5. Analysis: Where the localization restrictions remain as proposed under the 2019 Bill, organizations will be required to store and process data in India. Multinational companies will be obligated to open new data centres, rearchitect their network infrastructure or use local cloud service providers. This may also render India an unfavourable destination for doing business due to regulatory constraints. Additionally, data export can only be carried out through limited routes. Absence of enabling provisions for data export through privacy shield mechanism that facilitates compliance for cross-border data transfer can create roadblocks for data export from India. While there is increased speculation on where the final provisions will lean, it will be difficult to assess the possibility and process for cross-border transfer until such time the detailed guidelines for critical data, adequacy finding, contractual clauses and intra-group schemes are framed.