Personal data protection law: a critical analysis of data localization- By Muskan Bhardwaj

Introduction

A right that is had by a person or by a company to have absolute rights to utilize its own plans, ideas, or other intangible advantages without the worry of competitions, at least for a specific period of time. Some of the rights include copyrights, patents, trademarks and trade secrets. The reasoning for intellectual property is to encourage the business without the apprehension of other competitors of stealing their idea or take the credit of it.

The need for a total data protection scheme has been finally recognized by the authorities of India and the bill has been able to seize most of the concerns and scrutiny around data privacy and data protection in India. Basically data protection can be defined as the set of privacy laws, policies and procedures that focuses to reduce the infringement into one’s privacy and dissemination of personal data.

There is a drastic change to privacy and data protection related issues in past few years. Data has now been considered to be the most important strong point that is playing a fundamental role in the upliftment of the Indian economy.

Right to privacy and data localization

Right to privacy is not present in the constitution of India. But courts have recognized that the right to privacy is embedded in under article 19(1) (a) and Article 21 of the constitution of India which talks about freedom of speech and personal liberty respectively. Further, in the case of justice kSputtuswamy and Anr. V Union of India and others, the bench of honourable Supreme Court has held right to privacy subject to certain reasonable restrictions.

The world has been a global village ever since the internet has been invented. Because of the internet the data can flow freely all over the world. Basically data localization means the way of stockpiling the data within the visible boundaries of a country.e the data of India should be in the boundaries of India only.

There are many pros and cons of data localization on one hand it is beneficial and on the other hands it is believed that it will destroy the free flow of the internet. Most important pros of data localization are protectionism, taxation and foreign surveillances. Secondly, the disadvantages are the end of the internet and government surveillance. India, till now dearth a dedicated data protection law that addresses its concerns as a expand data-based economy.

The laws which are already present under Indian law i.e. the information technology act 2000, and the rules under Indian penal code 1860 and other sectorial rules are insufficient. For identifying the defects in the present-day Indian data protection law, the government of India appointed a committee of experts and drafting a new comprehensive data protection law for India.

The analysis on data localization under the data protection committee report and the bill: here the free flow of data is the nom and to restrict as an exception likewise right to privacy is fundamental right with some certain restriction on it.

Importance of data localization

Data localization is important to secure the personal data of the country from foreign surveillance. The importance of it is to protect the personal information of the country and its citizens from outsiders. Data localization is very important for national security. If the data is stored locally then it is easy for law enforcement to detect and collect the evidence for any criminal incidents. In some areas where data is not localized there they have to depend on MLATs to obtain access, ultimately delaying the investigation.

Data localization under the committee’s report and the data protection bill:

The committee recognized that a ban on data crossing borders as restrains personal liberty of people. Committee also recommended should also be recorded locally as well as on which the Indian laws are applied.

The government also decided that there are some data which should not cross the borders of the country. It should only be processed within the country.

Therefore there are certain points to be taken into consideration in which the government has divided the data into two parts: i.e. critical data and non-critical data. Where critical data are sensitive in nature and these types of data should only be processed in India. On the other hand, non-critical data will be allowed subject to one serving copy of it being stored in India.

Other than critical personal data, cross border transfers of personal data will be through model clauses with the data transferor being directly proportional to data principle.

Mandatory data localization: under different aspects.

Data mandated by RBI:

Here RBI directed that all the payment system should be stored in the system situated in India only. This direction by RBI has been given before the report of the committee and the data protection bill. RBI released its notification of mandated data localization on 9th April 2018 and said that the RBI includes “full extremity-to-extremity transaction details “payment instructions, and other information’s, collected processed etc.

Mandated data under the national e-commerce policy.

E-Commerce localizes several categories of data involved in it, for promoting India’s digital economy through various means and measures.in the recent time the localization under the draft amendment to drugs and cosmetics rules, 1945 has also being uplifted for the betterment and development of pharmacies.

It states that there should be the establishment of e-pharmacies web portals in India. By these portals e-pharmacies business will be conducted in India and data to be stored locally. It was said that any data of e-pharmacies, drugs or cosmetics should not be stored or sent by any means or measures from outside the country.

Data centres in India

Cost-benefit analysis

In today’s recent time the major issue with personal data is cybersecurity. For storing the data locally and to reduce the cybersecurity attacks, there is a need for the establishment of data centres, regulations and function under the law. There was the analysis which was done by cybersecurity report, 2017 released by Telstra and evaluated that business in India was most at risk to cybersecurity attacks. It is the duty of central government to give the types of personal data for which the data centres have to be developed in India and the authority to be developed under the laws to be responsible for compliance.

By the report of the committee, they analyzed some detail advantages and disadvantages for taking up mandatory data localization in India.

  1. There is a cost which arises during the enforcement of India’s own law. Mandatory data reduce such cost because of easily availability of data.
  2. There is a cost which arises while coordinating with foreign agencies; therefore it reduces that cost and time.
  3. The data which is transferred overseas by the fibre cable is venerable to security attacks, therefore due to localization of data, these security attacks has been reduced.
  4. The committee’s report, the critical data has to be stored in India only locally. So due to this, any foreign country cannot interfere in the internal matter of India.
  5. There should be a copy of data with India, which will boost the infrastructure and capture lots of data.

If data localization is having some benefits, on the other hands it has some disadvantageous cost also which arises.

There is a burden on domestic enterprises, because of mandatory data localization. It is a cost for small and medium scale businesses. Very few businesses have the expertise to establish the Centre for data localization in India.

Due to mandatory data localization there is a huge impact on economy widespread which draw the boundaries for the business to choose from limited data storing location.    

Data localization in other countries

  1. In the last few decades, the European centre for the international political economy has found a surge in data localization measures.
  2. Russia is the country having the most strict data localization systems and having high penalties. It is also having the most restrictive formation of data flow.
  3. Not all data is mandated localized in GDPR but has restricted the flow of data to other countries with the high protection framework
  4. In China government has mandated the flow of all data in a restricted sense and also the flow of data to outside countries has to pass a high-security assessment.

  Conclusion

In conclusion, the three major sets of arguments have been examined.

  1. It has been recognized that data localization will enhance security and privacy by believing that a level of protection is given to data.
  2. It was in question that the interference of government into data delays the law enforcement.
  3. There is an economic benefit that will lead in terms of creating the local data infrastructure, employment and contribution to the al ecosystem.

By analyzing all these points and above evaluation it was evaluated that the cost of sweeping data localization norms and introducing boards are likely to be greater its benefits. So it can be said that in some cases data localization can be qualified and in some cases does not.

There are some steps that should be considered while policymaking.

The government wants a country to be digital India so data localization should be weighed against its aspirations.

  • Identify the problems along with the evidence indicating the gravity of the problem.
  • Evaluate the various options regarding the issues, and consider the cost in each of them and the benefits of each alternative. This evaluation should consider all functioning of the state and economic, measures on civil liberties.
  • Choose the least intrusive measures among the various data localization options.
  • The whole process should be done in a transparent and open manner.

Shrikrishna committee has proposed a protection bill to be drafted; therefore the above process can be built into the proposed laws and regulation for the data localization. The suggestion has been given that this process should be followed till the time new laws and regulation are not conducted. For the future development in data localization India should also enter into various multi-trade agreements, which focuses more on the protection of personal data.

My opinion

For protecting personal data, for the security of the information, for the safeguard of the critical data, for development of digital India, for building strong competencies in artificial intelligence and protecting the data of citizen is now becoming mandatory. It is a challenge for the government to provide vast availability of land, power supply to data centres. Now it has to be seen that hoe government of India develop such things. 

Leave a Comment