By Nantoo Banerjee
It is most surprising that India’s bid to enforce data localisation should be strongly contested by the European Union, which boasts one of the world’s toughest personal privacy regimes. The EU, US, Russia and China all have their ways to strongly and legally protect their sensitive personal and organisational data locally. One wonders why the local data protection locally is not good for India, from their external perspective. The EU’s General Data Protection Regulation (GDPR) gives its citizens the right to demand companies disclose and delete information held about them. No one contested GDPR. China does not give a damn about what outside nations and corporates think about its own stringent data protection regulation. Then, why is the outside world making so much fuss about India’s data localisation policy?
Interestingly, GDPR has won international support from global tech companies such as Apple and Facebook and even from China’s Huawei, the world’s largest telecom gear maker. EU passed the ambitious internet privacy law in May. However, when it comes to India, EU and global technology players think India’s data localisation requirements are unnecessary, “be it from a data protection standpoint, as a matter of economic policy or from a law enforcement perspective”. Bruno Gencarelli, head of International Data Flows and Protection at the European Commission, made an official submission to India’s Ministry of Electronics and Information Technology (MeitY), pleading that such regulations would create “unnecessary costs, difficulties and uncertainties that could hamper business and investments”. Gencarelli even raised concerns on the independence of the Data Protection Authority of India that would supervise and investigate the application of the law, and the exemptions for the free collection and processing of data in the interest of ‘national security’. The European Commission published its submission to MeitY on its website on November 19.
Obviously, the local data protection locally has a cost aspect. Multi-national organisations doing business with India will have to bear an additional cost for data localisation. Foreign operators may have to duplicate infrastructure to be able to hold a copy in India. They may be worried that the Indian action on data localisation may induce other countries to follow suit. But, that is not India’s concern. The world’s fifth largest economy, having the second largest population and boasting nearly a trillion-dollar foreign trade, is not expected to continue with a flexible data collection and deposit regime for long. If other economically and militarily stronger countries can go against the so-called general philosophy of internet of seamless flow of data, there is hardly any reason as to why India should not protect locally its sensitive personal and organisation data.
Last year, MNCs operating in the country scrambled to try and meet a RBI-mandated deadline to store Indian users’ financial data in India. This was a major step towards “data localisation”. Most large domestic companies were delighted as the government firmed up its stance on storing data of Indian users in the country. Data localisation is a concept. It fortifies the need for processing and storing personal data of a country’s residents within that country. As of now, much of cross-border data transfers are governed by individual bilateral “mutual legal assistance treaties”.
Data security is a global issue, because most countries are facing data security problems — personal, corporate, organisational or military. While China’s Huawei and ZTE have been in the news in the western world and its Pacific allies such as Japan, Australia and New Zealand on account of security concerns, there is no reason to believe that other big telecom companies and equipment manufacturers could be trusted with sensitive data. Last year, the intelligence chiefs of the U.S., U.K., Canada, Australia and New Zealand had a meeting to make plans to publicise their concerns about allowing Huawei equipment to operate in their countries and governments. The UK’s state-run laboratory, set up specifically to evaluate Huawei hardware and software, reported ‘shortcomings’ in Huawei’s engineering processes that raised security risks. Following a big push from the British government, Huawei agreed to spend $2 billion to address the issues. In August last year, the U.S. Congress passed a law specifically prohibiting US government agencies from purchasing or using telecom and surveillance products from Chinese companies like ZTE and Huawei, which are particularly named in the law.
India needs its own set of personal data protection law and regulations as the country is fast moving towards a digital economy. Incidentally, the Supreme Court’s landmark judgement declared privacy as a fundamental right of an individual. The Srikrishna Committee, responsible for drafting the bill, has noted the need for a legal framework that can act as a template for developing countries across the world. The expert committee took into account three key approaches to data protection that are currently adopted by other countries. They are: America’s sectoral, EU’s omnibus regulatory approach and China’s data protection approach for averting national security risks.
The proposed Indian law awards the sense of rightfulness in the individual by calling them “data principals” and pronounced a duty of trust for organisations by calling them “data fiduciaries.” The EU has termed individuals whose personal data is being processed as “data subjects” and organisations responsible for determining the purpose of processing “data controllers.” The bill introduces a set of new obligations such as periodic data audits, maintaining the records of data processing and performing data protection impact assessments. The obligations identified in the draft bill will be applicable not only to data fiduciaries established in India, but also to data fiduciaries carrying out the systematic activity of offering goods and services to data principals in India or performing any activity that involves profiling of data principals within the country. Unfortunately, the latter seems to have become a big issue before some of the foreign countries and their business and trade organisations. (IPA Service)