It
is most surprising that India’s bid to enforce data localisation should be
strongly contested by the European Union, which boasts one of the world’s
toughest personal privacy regimes. The EU, US, Russia and China all have their
ways to strongly and legally protect their sensitive personal and
organisational data locally. One wonders why the local data protection locally
is not good for India, from their external perspective. The EU’s General Data
Protection Regulation (GDPR) gives its citizens the right to demand companies
disclose and delete information held about them. No one contested GDPR. China does not give a damn about what
outside nations and corporates think about its own stringent data protection
regulation. Then, why is the outside world making so much fuss about India’s
data localisation policy?
Interestingly,
GDPR has won international support from global tech companies such as Apple and
Facebook and even from China’s Huawei, the world’s largest telecom gear maker.
EU passed the ambitious internet privacy law in May. However, when it comes to
India, EU and global technology players think India’s data localisation
requirements are unnecessary, “be it
from a data protection standpoint, as a matter of economic policy or from a law
enforcement perspective”. Bruno Gencarelli, head of International Data Flows
and Protection at the European Commission, made an official submission to
India’s Ministry of Electronics and Information Technology (MeitY), pleading
that such regulations would create “unnecessary costs, difficulties and
uncertainties that could hamper business and investments”. Gencarelli even
raised concerns on the independence of the Data Protection Authority of India
that would supervise and investigate the application of the law, and the
exemptions for the free collection and processing of data in the interest of
‘national security’. The European Commission published its submission to MeitY
on its website on November 19.
Obviously,
the local data protection locally has a cost aspect. Multi-national
organisations doing business with India will have to bear an additional cost
for data localisation. Foreign operators may have to duplicate infrastructure
to be able to hold a copy in India. They may be worried that the Indian action
on data localisation may induce other countries to follow suit. But, that is
not India’s concern. The world’s fifth largest economy, having the second
largest population and boasting nearly a trillion-dollar foreign trade, is not
expected to continue with a flexible data collection and deposit regime for
long. If other economically and militarily stronger countries can go against
the so-called general philosophy of internet of seamless flow of data, there is
hardly any reason as to why India should not protect locally its sensitive
personal and organisation data.
Last
year, MNCs operating in the country scrambled to try and meet a RBI-mandated
deadline to store Indian users’ financial data in India. This was a major step
towards “data localisation”. Most large domestic
companies were delighted as the government firmed up its stance on storing data
of Indian users in the country. Data localisation is a concept. It fortifies
the need for processing and storing personal data of a country’s residents
within that country. As of now, much of cross-border data transfers are
governed by individual bilateral “mutual legal assistance treaties”.
Data
security is a global issue, because most countries are facing data security
problems — personal, corporate, organisational or military. While China’s
Huawei and ZTE have been in the news in the western world and its Pacific
allies such as Japan, Australia and New Zealand on account of security
concerns, there is no reason to believe that other big telecom companies and
equipment manufacturers could be trusted with sensitive data. Last year, the
intelligence chiefs of the U.S., U.K., Canada, Australia and New Zealand had a
meeting to make plans to publicise their concerns about allowing Huawei
equipment to operate in their countries and governments. The UK’s state-run
laboratory, set up specifically to evaluate Huawei hardware and software,
reported ‘shortcomings’ in Huawei’s engineering processes that raised security
risks. Following a big push from the British government, Huawei agreed to spend
$2 billion to address the issues. In August last year, the U.S. Congress passed
a law specifically prohibiting US government agencies from purchasing or using
telecom and surveillance products from Chinese companies like ZTE and Huawei, which
are particularly named in the law.
India
needs its own set of personal data protection law and regulations as the
country is fast moving towards a digital economy. Incidentally, the Supreme
Court’s landmark judgement declared privacy as a fundamental right of an
individual. The Srikrishna Committee, responsible for drafting the bill, has
noted the need for a legal framework that can act as a template for developing
countries across the world. The expert committee took into account three key
approaches to data protection that are currently adopted by other countries.
They are: America’s sectoral, EU’s omnibus regulatory approach and China’s data
protection approach for averting national security risks.
The
proposed Indian law awards the sense of rightfulness in the individual by
calling them “data principals” and pronounced a duty of trust for organisations
by calling them “data fiduciaries.” The EU has termed individuals whose
personal data is being processed as “data subjects” and organisations responsible
for determining the purpose of processing “data controllers.” The bill
introduces a set of new obligations such as periodic data audits, maintaining
the records of data processing and performing data protection impact
assessments. The obligations identified in the draft bill will be applicable
not only to data fiduciaries established in India, but also to data fiduciaries
carrying out the systematic activity of offering goods and services to data
principals in India or performing any activity that involves profiling of data
principals within the country. Unfortunately, the latter seems to have become a
big issue before some of the foreign countries and their business and trade
organisations. (IPA Service)
The post Data Protection Must For EU, Russia, China And Others appeared first on Newspack by India Press Agency.