Even as India introduced its personal data protection Bill on Friday, industry bodies and subject experts largely welcomed the move. But nearly all of them point to a provision that talks of restricting cross border data flows by setting up local servers in India.
Data localisation, or making it mandatory for companies to set up local servers in India, has drawn criticism from nearly all quarters.
The BSA| The Software Alliance, welcomed India’s move to make a comprehensive data protection regime. This industry body includes members such as Microsoft, IBM, Amazon Web Services, Cisco, Apple and Salesforce.
“However, including data localisation requirements in such legislation is contrary to the goals of promoting a Digital India, as global data transfers are critical to cloud computing, data analytics, and other modern and emerging technologies and services that underpin global economic growth,” said Venkatesh Krishnamoorthy, Country Manager India, BSA | The Software Alliance.
Also Read: Srikrishna Committee recommendations out, draw praise and flak in equal measure
The draft Bill, released on Friday, says: "Every data fiduciary shall ensure the storage, on a server or data centre located in India, of at least one serving copy of personal data to which this Act applies".
Businesses fear that if they are not allowed to transfer data unless vetted by an authority, it will cause delays in processing that data for analytics or building artificial intelligence models.
Higher costs
This may also eventually cost customers.
In 2016, the Internet and Mobile Association of India (IAMAI) and PLR Chambers came out with a report titled “Conducive policy and & regulatory environment to incentivise data center infrastructure”.
In the report, the industry body said that in addition to having only limited efficiency to secure communications, data localisation could increase costs for companies, which might be imposed on consumers.
It further said “From India’s perspective, it has also been estimated that imposition of data localisation requirements would contract the national GDP by 0.1% to 0.8% and negatively impact the investment climate, bringing down net investment into the country by nearly 2%. This would also reduce the monthly income of the average Indian worker by 11%.”
Brazil experience
In the report, IAMAI quoted a piece done by WSJ on Brazil, which also tried to mandate data localisation, it was found that factors like electricity tariff, stamp duty charges, import duties on equipment further impact data centre costing.
Data centres, according to the report, are capital-intensive projects that use thousands of computers and tens of humans.
The report added that Brazil is the most expensive country in the Western Hemisphere in which to build data centres. While building a data centre in the US costs $43 million on an average with a monthly operating cost of $510,000, building a similar facility in Brazil would cost $61 million
and $950,000 monthly to operate
In India too, electricity and taxation could be an issue.
The increased cost would have the most impact on startups and small businesses. “Forced localization might reduce consumers’ choice and ability to locate their data in other countries that are seeking for better privacy protections, risks of censorship/monitoring at home, better quality of service etc,” the report further noted.
Data localisation has been a contentious issue, not only from a data protection perspective, but also in other policy consultations such as those on cloud computing under the telecom regulator a couple of years ago.
The US India Business Council, a business advocacy group, also tweeted about the data protection bill the day it became public.
“@USIBC will seek to work with the Government of India to further improve the bill prior to its due consideration by the Parliament. Privacy, security, data fidelity & cross border data flows are critical to India's leadership of the global digital economy & innovation. We must work together to get this right,” it said in the tweet.
Other concerns
Another impact of the proposed data protection Bill, if it becomes law, could be on internal information technology policies of companies, who are increasingly adopting bring your own device programmes.
“Considering most organizations today allow for reasonable use of company issued computers and other IT assets for personal use, it is likely that a significant amount of personal data resides on these assets. This may pose a challenge while seeking assets for investigations or other proactive fraud detection measures undertaken by the organization. In line with these new guidelines, organizations may need to relook at their internal IT policy and their fraud response policy and ensure that employee approvals are obtained prior to accessing personal data,” said Jayant Saran, Partner - Forensic, Financial Advisory, Deloitte India.
Another issue is that of the government exceptions that allow access to data, a provision that finds mention in the Bill.
"I am happy to see the comprehensive coverage and inclusion of accountability and punitive damages. It is important however to plug gaps that may allow certain public entities or constitutional authorities from claiming exemptions. I also feel that given the pervasive impact and importance of Aadhaar data, UIDAI and allied services, more needs to be done to empower the individual (data principal) in understanding who has access to what data, how and provide them the means to take direct action against misuse or mishandling of such data,” said Pandurang Kamat, Chief Technologist and Associate chief technology officer at Persistent Systems.
