Rising globalisation and digitisation have increased the flow of data across borders. These days, you have applications and websites practically for everything that you might need in a day. This allows the service providers to get a freehold on the data of the customer residing anywhere in the world. With recent rulings of the Supreme Court of India holding that the right to privacy is a fundamental right and is an integral part of the right to life and liberty, it has become crucial that organisations that handle data of Indian citizens must ensure that data privacy is not put at risk when shared across borders. In recent times, the Indian government has passed many significant policies requiring storing data in India to meet the data privacy and security standards.
What is Data Localisation?
Data localisation refers to the requirement for physical storage of data within a country’s national boundaries and is often used more broadly to mean any restrictions on cross border data flows such as (i) preventing information from being sent outside the country; (ii) requirement to obtain individual consent before making the transfer; (iii) storage of a local copy of the data; or (iv) hosting of government-related data as well as individual’s personal data stored in cloud storage networks within the country and not in foreign countries.
Why has Data Localisation become important in recent times?
Data Localisation has become important in India on account of four important developments:
In August 2017, the Supreme Court of India recognised that there exists a fundamental right to privacy under the Indian Constitution (Puttaswamy v. Union of India, 2017) and also upheld that any interference in the right to privacy should satisfy the requirement of a “fair, just and reasonable” procedure established by law.
Directive issued by the Reserve Bank of India on April 06, 2018 imposing stringent data localisation requirements on all payment system providers and their suppliers and intermediaries to store the entire data related to payment transactions only in India, though it can be processed abroad. Consequently, covering not only card payment services by MasterCard and Visa but also companies such as Paytm, Google and WhatsApp which offer electronic or digital payment services;
Submission of report of an expert committee headed by former Supreme Court judge, Justice B.N Sri Krishna (“The Sri Krishna Committee”) and a draft Personal Data Protection Bill, 2018 to the government on July 27, 2018, with certain key recommendations on the localisation of personal data.
Release of various draft Acts by Government imposing localisation requirements like Digital Information Security in Healthcare Act, 2018 (DISHA) which seeks to empower the proposed National Electronic Health Authority to impose localisation requirements with respect to digital health data, draft of the national e-commerce policy with a focus on securing critical personal data arising in India and treating it as a ‘national asset’.
How would Data Localisation benefit India?
With the restriction on the free flow of data outside the geographic boundaries of India, there are multiple benefits that one can foresee like:
storage of data on domestic servers will help Indian law enforcement by giving local governments and regulators the jurisdiction to call for the data when required, minimises conflict of jurisdiction due to cross border data sharing, and expedite justice delivery in case of data breach;
benefit the domestic economy in the long term with the growth of data center industries in India and consequently leading to further employment in India;
secures citizen’s data and protects Indian data from foreign surveillance, and
casts greater accountability on the MNCs engaged in processing of information.
What are the key Data Localisation laws in India currently?
The concept of Data Localisation was formally introduced in India by way of Personal Data Protection Bill, 2018 (now Data Protection Bill, 2021), the question of localisation is not entirely new as several laws and policies already exist in India to regulate the outflow of data like:
Information Technology Act
Data protection provisions in Indian law are contained primarily in the Information Technology Act, 2000 (IT Act) and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (IT Rules). Section 43A of the IT Act provides for the payment of compensation for failing to maintain reasonable security practices in respect of sensitive personal data.
As per the Companies (Accounts) Rules, 2014, the back-up of the books of account and other books and papers of the company maintained in electronic mode, including at a place outside India, should be kept in servers physically located in India on a periodic basis.
The IRDAI (Maintenance of Insurance Records) Regulation, 2015
The Paragraph 3(9) of the said regulation requires all insurers to store insurance data within India.
Banks, its suppliers, and intermediaries
The Reserve Bank of India issued a directive on April 06, 2018, on ‘Storage of Payment System Data’ advising all system providers to ensure that the entire data relating to payment systems operated by them is stored only in India.
Unified License Agreement issued by the Department of Telecom
Telecom Service Providers cannot transfer any accounting information relating to a subscriber (except for international roaming/billing) to any person or place outside India and user information (except about foreign subscribers using Indian Operator's network while roaming and IPLC subscribers).
How can I ensure compliance with Data Localisation laws in India?
It is important that the organisations comply with the sector-specific requirements for data localisation along with the provisions of the Information Technology Act, 2000 (IT Act) and the Rules made thereunder.
Pending the Data Protection Bill, 2021, it is advisable that the organisation create robust data protection and privacy framework to include important aspects such as:
Identification of data sources and evaluating the data collection requirement on the principle of data minimisation.
Ensuring use, disclosure, and retention of data only for legitimate purposes.
Consent management to enable users to review, withdraw and submit their free, informed, specific, and unambiguous consent.
Developing and sustaining best industry practices for data security and storage of data.
Assessing technical and organisational measures taken by entities having granted access to data by you (sub-contractors/outsourcing etc.).
Devising contract management systems for NDAs, and agreements with customers, vendors, partners, or employees.