Localization of data

Introduction

‘Critical’ data in terms of information technology generally means data which companies or body corporates need to identify as being essential to their business. This term ‘‘critical data’ has not been defined under any legislation in India. Presently if any legislative co-relation can be established with regard to critical data, it is under the ambit of the Information Technology Act, 2000 (“IT Act”). IT Act defines sensitive personal data or information (“SPDI”) and what constitutes SPDI. SDPI generally includes - (i) password; (ii) financial information such as bank account or credit card or debit card or other payment instrument details; (iii) physical, physiological and mental health condition; (iv) sexual orientation; (v) medical records and history; (vi) biometric information; (vii) any detail relating to the above clauses as provided to body corporate for providing service; and (viii) any of the information received under above clauses by body corporate for processing, stored or processed under lawful contract or otherwise. As per the IT Act any body corporate using any of the SPDI needs to obtain the consent from the person providing such SPDI prior to using that information. In furtherance of a similar protectionist approach and recent events with regard to breach of personal data on both international or domestic scale, the Government of India (“Govt.”) has proposed data localisation as one aspect of the approach for protection of data of indian citizens and corporate bodies.


Brief overview of data protection under different regimes

Europe formulated the General Data Protection Regulation (GDPR) with an aim to create data protection policies and hold the concerned organizations accountable which hold personal data of individual or corporate person. The aforesaid data amongst others includes “critical data”. Under the GDPR, “personal data” is any data which may be identified to any natural person, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Primarily, GDPR creates an obligation on the part of the data holder to secure and protect such personal data (personal data as defined above). One of the important aspects of GDPR is that its jurisdiction extends to different countries where such data is being shared.

In United States of America there is not one particular law governing or regulating data protection across all kind/category of data. Various state and federal laws have their respective legislation for data protection for particular catergory(ies) such as The Drivers Privacy Protection Act of 1994 which prohibits the release or use any of personal information about an individual obtained by the department in connection with a motor vehicle record. However, there are no dedicated security related laws relating to transfer or storage of data in USA. Primarily, transferor has the onus to protect the same.


Introduction of the Personal Data Protection Bill, 2018

The Govt. drafted The Personal Data Protection Bill, 2018 (“Bill”) which amongst other aspects will require storage server in India and limiting the storage capacity and processing and/or movement of within the geographical territory of India. One the key aspects of the Bill is section 40 which aims to restrict cross-border transfer of data. In this regard aforesaid Section requires that – (i) people dealing with such data store data on a server or data centre located in India or mirror such data in India; and (ii) “critical personal data” as notified by Central Government shall only be stored and processed in India. Further, section 41 of the Bill states the conditions for cross - border transfer of personal data, which is subject to prior consent of concerned individual/corporate person is amongst others, based on the following parameters:

(i) subject to standard contractual clauses or intra-group schemes; and

(ii) with the permission of the Govt. personal data can be transferred to a country, a sector within a country or an international organization.


However, strangely section 41 of the Bill is not applicable to critical personal data. One of the important aspects of the Bill is that it speaks for localisation of the data within the territory of India to protect the personal data of the citizens and organizations in the interest of national security.

The Bill makes an attempt to create a regime of data localization. Apart from the Bill, the Govt. is making all its effort to localize data and has brought about or is planning to bring in the changes to data localization – (i) RBI issued a notification that requires all payments system providers to store full end-to-end transaction details, information collected, carried and processed in India for security and supervisory purposes; (ii) the Drugs and Cosmetics Act, 1940 has been amended to regulate e-pharmacies and requires them to store data in India; and (iii) the draft of e-commerce policy, mandates companies to store all data relating to Indian users locally and says their source codes must be audited as well.


Effects the localization regime may have

Many corporates oppose the localization of data as provided in the Bill as they may have to incur unnecessary costs and uncertainties that could hamper the business aspects as well as investment of the company. Doubts are also being raised over the security of the data as currently the security systems in place by the Govt. do not seem adequate.

On the other hand data localization may create a new sphere of investment in India and may in-fact promote India as a digital hub. Companies and body corporates may finally push for enhanced security measures in relation to storage and transfer of data. Foreign entities may make India a hub for storing and transferring their data.


Conclusion

In light of the judgment pronounced in the ‘Aadhar Judgment’(Justice K.S.Puttaswamy (Retd) vs. Union Of India, WRIT PETITION (CIVIL) NO. 494 OF 2012), in which it was unanimously held that “Right to Privacy” is a fundamental right guaranteed under the Part III of the Constitution of India, 1950, the Govt. in order to protect the aforesaid right may want to push through the localization particularly for the transfer of data subject to the conditions laid down in section 40 and 41 of the Bill. To a certain extent, maybe with regard to data which may concern certain financial information, fiscal data or data relating to national security the Govt. may be successful in pushing through the Bill without any objection.

In the other aspects, it may be economical, beneficial and advisable for the Govt. to adopt mechanisms which is a hybrid of the GDPR and data protection regimes in other jurisdictions as a measure of deterrence so that data is handled in a safe and secure manner. The Govt. may place the onus on the entities acquiring and handling such data and any unauthorized dissemination and mishandling of such data should be punished heavily. Further, jurisdiction with regard to transfer and storage etc. can be extended to geographical territories outside India as has been provided in GDPR.


This Article is by Rohitaashv Sinha, Advocate & Associate Partner at Agarwal Jetley & Co., Advocates & Solicitors. Contact: Email: rohitaashv.sinha@agarwaljetley.com or Mob: (+91) - 9999565393