Vikram Koppikar
The Reserve Bank of India set the balling rolling with a directive that payment service providers store all information related to payments systems within India. This was followed by the draft bill on Data Protection, framed by a working committee headed by former Supreme Court Judge BN Srikrishna. The bill proposes that one copy of all personal data be stored on servers located in India (S. 40, Personal Data Protection Bill, 2018). Such storage requirements are subject to the central government’s right to exempt (such requirements) in matters of “strategic interest”. The exemption from localisation is denied however, for information relating to health, religious beliefs and financial information.
The arguments pressing for data localisation are familiar. The supporters include the government.
A white paper on data protection released before the draft bill detailed the benefits of data localisation and said it would prevent “foreign surveillance” and allow “ease of access of data” for law enforcement purposes. The Indian judiciary has had middling success in summoning foreign data providers/ hosts and it is hoped that this localisation could turn this tide. Remember I&B minister Ravi Shankar Prasad talking about getting Mark Zuckerberg on trial in Indian courts? Data localisation could be the beginning of such a scenario actually fructifying
Big information technology (IT) firms are another set of supporters because they already have India-based data servers. A law to store data within India would provide much respite since the prescribed penalties for data breach liability in the proposed bill are a mere pittance compared to those under the European General Data Protection Regulation (GDPR).
While the ink has yet to dry on the final legislation, it appears that the government in this case appears to have perhaps acted hastily in creating the localisation provisions.
While card and payment companies have protested the cost and regulatory tangles that come along with the data localisation requirement, remember that Google’s payment system Google Pay runs on NPCI’s UPI system, which should logically clear it of many regulatory requirements at the onset.
The government’s decision to allow for retention of one copy of data in India is even more baffling. This coupled with the absence of a GDPR-like mechanism where the data subject is to be mandatorily notified in event of a data breach, dilutes the bill’s intent to protect data subjects to a large extent.
The white paper on data protection, which preceded the Bill, mentions the Microsoft Case (Microsoft Corporation v. United States of America, No. 14-2985 (2d Cir. 2016). The case involved the US government’s efforts to access personal emails of alleged drug traffickers, which was thwarted by Microsoft to a large degree on account of said emails residing on a Microsoft server in Ireland. In March 2018, during the course of the trial, the US Government passed the Clarifying Law Overseas Use of Data (CLOUD) Act, which compels US based technology companies, via warrant or subpoena to provide data residing on servers, irrespective of where the data resides.
The Indian government would have done well to follow a similar mechanism against technology companies having access to Indian citizen data rather than the mandatory data localisation requirement.
(Vikram Koppikar is senior legal counsel, Tata Consultancy Services Ltd. Views expressed are personal.)
Discover the latest Business News, Sensex, and Nifty updates. Obtain Personal Finance insights, tax queries, and expert opinions on Moneycontrol or download the Moneycontrol App to stay updated!
