India’s data localisation requirements are unnecessary and potentially harmful: EU tells IT Ministry

Updated on 04-Jun-2020
HIGHLIGHTS

In a written submission to consultation request on India’s data privacy law, an official from the European Union (EU) advised the Ministry of Electronics and Information Technology (MeitY) to introduce more clarity on certain aspects of the Personal Data Protection Bill of India 2018.

The European Union (EU), which brought the General Data Protection Regulation (GDPR) to harmonise data privacy laws on May 25 this year, has said that the data localisation requirements that the Ministry of Electronics and Information Technology (MeitY) had proposed in the draft Personal Data Protection Bill of India 2018 are unnecessary and potentially harmful for business and investments. It said that the modern data protection regimens should be designed to afford individuals a high-level of protection while facilitating data flows in a way that maximises economic opportunity and consumer interests.

“The provisions of the draft law which require every data fiduciary to ensure the storage of at least one copy of personal data on a server or data centre located in India raise questions,” Bruno Gencarelli, Head of Unit – International Data Flows and Protection, European Commission, said in a written submission to the MeitY. This applies even more so to the provision in the draft law that permits the Central Government to stipulate that ‘critical personal data’ (an undefined category) must be exclusively processed within India. These data localisation requirements appear both unnecessary and potentially harmful as they would create unnecessary costs, difficulties and uncertainties that could hamper business and investments. This also applies to the exceptions [in Section 40(3)] which provide no clear guidance as to when the Central Government might consider an exception ‘necessary’ or in the ‘strategic interests of the State’,” Gencarelli said.

Gencarelli notes that the draft law, in a number of places, leaves discretion to decide key matters in the hands of the Central Government or the Data Protection Authority rather than dealing with them in the draft itself. He said that this could create uncertainties which could be avoided by providing clarifications in the final version of the Bill. Though the official welcomed the establishment of the Data Protection Authority for India (a key element of any modern data protection law), he said that any suggestion that the Authority could be influenced by the Central Government through “directions” or any other decisions could undermine the law’s legitimacy, effectiveness and authority.

“To effectively play its role, it is essential that such Authority acts with complete independence and impartiality in performing its duties and exercising its powers, free from any external influence. While the draft law highlights this aspect for the Adjudicating Officers, we did not find a clear statement in this regard for the DPA as such. Similarly, the articles concerning the Appellate Tribunal could benefit from further clarifications as regards the qualifications, terms and conditions of appointments, grounds for removal, etc. of its members, as it is the case for the Data Protection Authority,” Gencarelli noted.

The official also praised the Bill for inclusion of “reasonable purposes” ground, which basically establishes clear and flexible grounds for processing of personal data under the data protection framework. EU notes that this is “largely” akin to the GDPR’s “legitimate interests” provision and subject to a comparable balancing test. “However, we read that ‘reasonable purpose’ can also be interpreted as including cases where ‘the data fiduciary can reasonably be expected to obtain the consent of the data principal’. We are wondering what is the exact meaning and scope of this clause,” the written submission noted.

The Personal Data Protection Bill of India 2018 is not finalised yet and Committee of Experts on Data Protection are expected to include the recommendations by EU in the final bill. The initial draft became controversial and several industry experts pointed out multiple problems with the bill; specifically the the data localisation or, in lame man words, to store data (or a live copy of it) on a server in India. US companies expressed strong opposition to this requirement saying that this is extremely prohibitive to the business growth plans as companies would now be forced to invest in data centres in India instead of business expansion — the same point that Gencarelli pointed out in the written submission to the MeitY.

Sourabh Kulesh

A journalist at heart; has knowledge of a wide gamut of topics related to enterprise and consumer tech.

Connect On :