This note maps the opinions of some stakeholders to the White Paper of the Committee of Experts on a Data Protection Framework for India, released on 27 November, 2017 (“White Paper”).
While all responses to the White Paper are currently unavailable, responses of twenty-six (26) stakeholders are available on Dvara Research’s blog, here. This note maps the responses of these stakeholders on data localisation.
In July 2017, the Ministry of Electronics and Information Technology (MeiTY) had constituted a Committee of Experts, chaired by Justice B.N. Srikrishna (“the Srikrishna Committee”) to frame recommendations for a data protection framework for India. In January 2018, the Srikrishna Committee concluded a nation-wide stakeholders’ consultation on key issues of data protection. This consultation was based on two hundred and thirty (230) questions that it had raised in the White Paper. Final recommendations of the Srikrishna Committee are awaited.
Among many other issues raised, the Srikrishna Committee had flagged data localisation as an important issue in Chapter 9 of Part II of the White Paper. This note maps responses of the aforesaid stakeholders on data localization.
The White Paper raises the following questions on data localization:
First, “What are your views on data localisation?”;
Second, “Should there be a data localisation requirement for the storage of personal data within the jurisdiction of India?”;
Third, “If yes, what should be the scope of the localisation mandate? Should it include all personal information or only sensitive personal information?”;
Fourth, “If the data protection law calls for localisation, what would be the impact on industry and other sectors?” and,
Fifth, “Are there any other issues or concerns regarding data localisation which have not been considered above?”
The table below maps stakeholders’ responses on each of the above questions.
|Stakeholders||Data localisation||Data localisation requirement for storing personal data in India||Scope of data localisation mandate for sensitive personal information||Economic impact of data localisation||Other issues or concerns|
|Industry Associations –3*
BSA, iSPIRT, and ITI
|BSA||Does not recommend adoption of data localisation requirements.||Imposition of localisation requirements would be contrary to goals of Digital India.
|Localisation mandate to be no broader than necessary to achieve the objective.||Will cause a disproportionate impact on small and medium sized enterprises (SMEs) due to lack of resources to meet burdensome regulatory requirements; severe impact on Indian start-ups, that leverage cloud services to meet business needs.||No clear response.|
|iSPIRT||Agree with provisional views of the Srikrishna Committee. Flexibility must be provided to data protection authority.||No clear response.||No clear response.||No clear response.||No clear response.|
|ITI||No clear response.||No clear response.||No clear response.||Mandating localisation can increase costs for companies to procure data services by 30-60%; economy-wide data localisation could cost India its GDP by 0.8% and decrease investments by 1.3%.||Balance must be struck between protecting global data flows and ensuring high standard of privacy and data protection; similar to the Protection of Personal Information Act in South Africa.|
|Civil society organisations – 12**
Access Now; CCG; CIS; Centre for Trade and Investment Law; Harvard FXB Center;
IDP; Mozilla Foundation; ORF; Professor Graham Greenleaf; SFLC; Submission by Legal Academics and Advocates, and Takshashila Institution.
|Access Now||Mandatory localisation undermines fundamental interoperability of the internet.
|Oppose mandatory data localisation that does not allow transfer to third countries.||Do not oppose data related regulatory measures protecting sensitive data used by governments to protect health, biometric and genetic data.||No clear response.||No clear response.|
|CCG||Data localisation requirements should be avoided.||India should eschew articulations of uncertain scope.||No clear response.||No clear response.||No clear response.|
|CIS||Requiring local storage of personal data of citizens will create issues of trade, security and quality of service.
|There should not be a data localisation requirement for storage of personal data within jurisdiction of India.
|In case of government and intelligence data, particularly critical information infrastructure data, should be mandatory for keeping the data within India.
|Will dissuade foreign companies from investing in and outsourcing to India as requiring them to store data locally will contradict business model and be cost ineffective to them.||For critical information infrastructure data, should be mandatory for keeping data within India. For certain other kinds of data, data protection law or rules under it could mandate that a copy of data is always maintained in India.|
|Centre for Trade and Investment Law||No clear response.||No clear response.||No clear response.||A legislation that localises data in India would hamper cross-border flow of data and have a negative impact on India’s trade with other countries.||Recommend that law be crafted in consistency with General Agreement on Trade in Services (GATS), failing which it could be challenged by any member state of the World Trade Organisation (WTO).|
|Harvard FXB Centre||Data localisation is neither feasible nor advisable in this day and age. It is important to have laws that protect the individual’s personal data irrespective of location of storage or processing.
|It may not be feasible to do this for health data.
|Legislation to protect personal data is important regardless of whether said data is locally stored.
|A blanket call for localization for all sectors is detrimental.||Professional cloud computing services are a better alternative, at present, to local servers with perimeter security.|
|IDP||Data localisation does not guarantee the protection of
the rights of data subjects.
|No clear response.||No clear response.||Beyond the cost for foreign companies that cater to an Indian customer base, smaller companies will be hugely impacted if they cannot use the services of many cloud service providers because these offerings don’t have a local data centre.||Data being stored locally is not equivalent to it being protected.|
|Mozilla Foundation||No clear response.||No clear response.||No clear response.||Mandating routing of traffic through data centres located in India would disrupt the efficient and effective flow of Internet traffic; undermining the efficiency and integrity of the technology in itself; segregating certain types of data may present a prohibitively difficult and expensive barriers to start-ups, hurting innovation, limiting entrepreneurship, and undermining the promise of Digital India.||Warns of the implementation of these measures setting a dangerous example for other countries, particularly put us behind in the age of the internet.|
|ORF||No clear response.||No clear response.||No clear response.||Data centres are expensive to build and maintain, and once they are built, require little manpower and do not generate any substantial employment. Costs will be driven up as this infrastructure cannot usually be manufactured in India||Addressing concerns of foreign intelligence surveillance, data collected by public entities such as biometric data can be mandated to be stored on Indian soil. The Guidelines for Government Departments on Contractual Terms Related to Cloud Services issued by MeitY in March, 2017 are a good starting point in this regard.|
|Professor Graham Greenleaf||It may be best to leave data localisation requirements to sectoral laws dealing with certain categories of personal information, rather than trying to include a generic answer within a data privacy law.||India will need to be on guard against free trade agreements (FTAs), such as the Trans-Pacific Partnership, which make it prohibitively difficult, and potentially punitive, for countries to adopt data localisation.||No clear response.||No clear response.||No clear response.|
|SFLC||There should be no blanket regulation to store data locally.||There should be no requirement to store personal data within the territorial jurisdiction of India.
|Data pertaining to government and intelligence matters may be required to be stored within the borders but the exception should be limited to this.||The brunt of the burden created by such a requirement would be faced primarily by small and medium-sized enterprises; data localisation would also prevent users from accessing their data when they are travelling through another country.||No clear response.|
|Legal Academics and Advocates||Data localisation – when applied to the general, everyday web services and data that users engage with, would break our global open internet, and must not be considered.||Blanket data localisation proposals, which would threaten and undermine the global open internet need to be resisted.||No clear response.||No clear response.||No clear response.|
|Takshashila Institution||Data localisation could be the beginning of a slippery slope towards more transparency for the government over an individual’s data, paving the way for prohibiting end-to-end encryption, which will jeopardise privacy even more.||No.||If data localisation is desired for effective regulation of a particular sector, it can be implemented for such limited purposes. This should relate to certain types of sensitive personal data.||Several impacts already addressed in the White Paper – increased costs of business barriers to benefitting from global networks, and a negative impact on the start-up ecosystem, which will find it difficult to scale up quickly, in addition to affecting start-ups and putting us behind in the age of the internet.||No clear response.|
|Others – 1***
|Omidyar Network||There is no reason to mandate data localisation.
|No.||Not applicable, as they have opposed data localisation in response to the first question.||The economic impact of data localisation may not be very significant, since market leaders such as Amazon and start-ups now have data centres based out of India.||The law must provide that the data controllers should share information with the government, after following due process of law. If that is done, will discentivize companies from storing data in geographies that do not provide adequate security.|
*Industry Associations: ITI – Information Technology Industry Council, BSA – Business Software Alliance, iSPIRT – Indian Software Product Industry Round Table.
**Civil Society Organisations: Access Now; CCG – Centre for Communication Governance, NLU Delhi; CIS – The Centre for Internet and Society; Centre for Trade and Investment Law – Dr. James J. Nedumpara and Mr. Sandeep Thomas Chandy, Centre for Trade and Investment Law, Ministry of Commerce; Harvard FXB Center – Harvard FXB Center for Health and Human Rights;
IDP – Internet Democracy Project; Mozilla Foundation; ORF – Observer Research Foundation; Professor Graham Greenleaf; SFLC – Software Freedom Law Centre; Legal Academics and Advocates – Submission by 24 Legal Academics and Advocates, and Takshashila Institution.
***Others: Omidyar Network – Subhashish Bhadra, Associate, Omidyar Network.
Adoption of data localisation in India
As discussed in Chapter 9 (Part II) of the White Paper, data localisation requires companies to store and process data on servers physically located within national borders. Recognizing that embracing data localisation might have a strong ripple effect across industries, the Srikrishna Committee sought to conduct a cost-benefit analysis of the implications of data localisation for India. The Committee’s call for views on this issue has generated the following responses, broadly:
1. Data localisation should be opposed (9 responses): BSA, Access Now, CCG, CIS, Harvard FXB Center, SFLC, Legal Academics and Advocates, Takshashila Institution, and Omidyar Network
1.1 BSA, Access Now, CCG, CIS, and the Legal Academics and Advocates do not recommend the adoption of data localisation.
1.2 Harvard FXB Center does not consider data localisation feasible or advisable, particularly with respect to health data.
1.3 As per SFLC, there should be no blanket regulation to store data locally.
1.4 Takshashila Institution and the Omidyar Network categorically expressed their disapproval of a data localisation framework for India.
2. No clear response (5 responses): ITI, Centre for Trade and Investment Law, IDP, Mozilla Foundation, and ORF
2.1 ITI, Centre for Trade and Investment Law, IDP, Mozilla Foundation and ORF did not have a clear response on the issue of data localisation.
3. Data localisation may be adopted, but not within a data privacy law (1 response): Professor Graham Greenleaf
3.1 Professor Graham Greenleaf suggested that it may be best to leave data localisation requirements to sectoral laws dealing with certain categories of personal information, rather than trying to include a generic answer within a data privacy law.
Data localisation mandate for sensitive information
The Srikrishna Committee is of the opinion that while data localisation may not be advisable across the board, it may be considered in certain sensitive sectors. In response to their question on the scope of the data localisation mandate for specific kinds of information, the following responses have been received, broadly:
1. No clear response (11 responses): BSA, Access Now, ITI, CCG, Centre for Trade and Investment Law, Harvard FXB Centre, IDP, Mozilla Foundation, ORF, Professor Graham Greenleaf, and Legal Academics and Advocates
1.1 BSA did not provide any clarifications specific to the scope of data localisation for sensitive information. They have limited their response to stating that the localisation mandate should be no broader than necessary to achieve the objective.
1.2 Access Now is not opposed to “data related regulatory measures” protecting sensitive data used by governments to protect health, biometric and genetic data. However, it has not clarified whether these “data related regulatory measures” would include data localisation specifically.
1.3 As per Harvard FXB Centre, legislation to protect personal data is important regardless of whether said data is locally stored. They have not clarified their stance on data localisation for sensitive information specifically.
1.4 iSPIRT, ITI, CCG, Centre for Trade and Investment Law, IDP, Mozilla Foundation, ORF, Professor Graham Greenleaf, and the Legal Academics and Advocates did not have a clear response on this issue.
2. Data localisation may be considered for sensitive information (4 responses): CIS, iSPIRT, SFLC, and Takshashila Institution
2.1 As per CIS, government and intelligence data, particularly critical information infrastructure data, should be mandatorily kept within India.
2.2 iSPIRT has agreed with the Srikrishna Committee’s provisional views that data localisation may be considered in certain sensitive structures, while adding that flexibility must be provided to the data protection authority.
2.3 As per SFLC, data pertaining to government and intelligence matters may be required to be stored within the borders but the exception should be limited to this.
2.4 As per Takshashila, data localisation may be implemented for the limited purpose of ensuring the effective regulation of a particular sector. This should relate to certain types of sensitive personal data.
3. Question not applicable (1 response): Omidyar Network
3.1 Omidyar Network has considered this particular question as being “not applicable” to them, as they have stated their opposition to data localisation in response to the first question.
Economic impact of data localisation
As part of their efforts to conduct a cost-benefit analysis of the impact of data localisation on India, the Srikrishna Committee has sought opinions on the impact of localisation on the Indian industry. The following responses have been generated in this regard, broadly:
1. Data localisation will have a negative impact on industry (7 responses): BSA, CIS, Centre for Trade and Investment Law, Harvard FXB, IDP, ITI, Mozilla Foundation, and ORF
1.1 BSA, IDP, Mozilla Foundation, SFLC and Takshashila Institution are of the opinion that data localisation will have a detrimental impact on small businesses and the start-up industry.
1.2 As per CIS, data localisation will dissuade foreign companies from investing in and outsourcing to India as requiring them to store data locally will be cost ineffective to them.
1.3 As per the Centre for Trade and Investment Law, data localisation would have a negative impact on India’s trade with other countries.
1.4 Harvard FXB is of the opinion that a blanket call for data localisation for all sectors is detrimental.
1.5 As per ORF, data localisation will drive up costs as data centres are expensive to build and maintain, and once they are built, require little manpower and do not generate any substantial employment.
1.6 As per ITI, mandating localisation can increase costs for companies to procure data services by 30-60%; economy-wide data localisation could cost India its GDP by 0.8% and decrease investments by 1.3%.
2. No clear response (6 responses): iSPIRT, Access Now, CCG, Professor Graham Greenleaf, and Legal Academics and Advocates
2.1 These stakeholders did not have a clear response on this issue.
3. Localisation will not have a significant impact on industry (1 response): Omidyar Network
3.1 Omidyar Network is of the opinion that data localisation may not have a very significant impact in India, since market leaders such as Amazon and start-ups now have data centres based out of India.
Overview: Key arguments for and against data localisation
|For data localisation||Against data localisation|
· Not applicable as no stakeholder has put forth any substantive arguments in favour of data localisation.
· Important to note that while Professor Graham Greenleaf has acknowledged that data localisation is an appropriate response in some situations, he finds that it may be best to leave data localisation requirements to sectoral laws dealing with sensitive personal information, rather than trying to include a generic answer within a data privacy law.
· Data localisation requirements are contrary to the goals of Digital India. (BSA)
· Data localisation requirements are inconsistent with international trade agreements. (BSA)
· Data localisation results in increased costs to economies and local companies. (BSA and Takshashila Institution)
· Data localisation limits access to global services. (BSA and Takshashila Institution)
· Due to its high costs and limiting effect on access to services, data localisation hinders innovation. (BSA and Takshashila Institution)
· Mandatory data localisation undermines the fundamental openness and interoperability of the internet. (Access Now and Legal Academics and Advocates)
· Localized data does not meet its stated aim of preventing foreign surveillance, since it is also susceptible to access by foreign authorities. (Access now)
· Data localisation presents issues of security since it makes it easier for the State and other parties to exercise surveillance or misappropriate data for other purposes. (CIS)
· The increased transparency of the State over an individuals’ data signals the beginning of a slippery slope that might lead to further restrictive measures such as a ban on end-to-end encryption. (Takshashila Institution)
· Data localisation requirements restrict individual liberty and access to services available for Indian consumers. (CIS)
· Data localisation is not the best form of security. Cloud computing is better since it contains many layers of resiliency to prevent and mitigate the risk of security incidents and prevent such incidents from propagating throughout the network.
· Data localisation is an unnecessary burden on service providers. (SFLC)
· Data localisation is bad for MSMEs. (SFLC)
[This post is authored by Shreya Mohapatra, TRA intern and Tuhina Joshi, Associate with inputs from Nehaa Chaudhari, Public Policy Lead].