Local privacy, global perspectives

It is most surprising that India's bid to enforce data localisation is being strongly contested by the European Union, which boasts of hosting among the world's toughest personal privacy regimes. EU, US, Russia and China all have their ways to strongly and legally protect their sensitive personal and organisational data locally. One wonders why the practice of local data protection locally is not good for India, from their external perspective. EU's General Data Protection Regulation (GDPR) gives its citizens the right to demand companies to disclose and delete information held about them. No one contested GDPR. China does not give a damn about what outside nations and corporates think about its stringent data protection regulation. Then, why is the outside world making so much fuss about India's data localisation policy?

Interestingly, GDPR has won international support from global tech companies such as Apple and Facebook and even from China's Huawei, the world's largest telecom gearmaker. EU passed the ambitious internet privacy law in May. However, when it comes to India, EU and global technology players think India's data localisation requirements are unnecessary, "be it from a data protection standpoint, as a matter of economic policy or from a law enforcement perspective". Bruno Gencarelli, head of International Data Flows and Protection at the European Commission, made an official submission to India's Ministry of Electronics and Information Technology (MeitY), pleading that such regulations would create "unnecessary costs, difficulties and uncertainties that could hamper business and investments". Gencarelli even raised concerns on the independence of the Data Protection Authority of India that would supervise and investigate the application of the law, and the exemptions for the free collection and processing of data in the interest of 'national security'. The European Commission published its submission to MeitY on its website on November 19.

Obviously, local data protection locally has a cost aspect. Multinational organisations doing business with India will have to bear an additional cost for data localisation. Foreign operators may have to duplicate infrastructure to be able to hold a copy in India. They could be worried about how Indian action on data localisation may induce other countries to follow suit. But, that is not India's concern. The world's fifth largest economy, having the second-largest population and boasting nearly a trillion-dollar foreign trade is not expected to continue with a flexible data collection and deposit regime for long. If other economically and militarily stronger countries can go against the internet's so-called general philosophy of seamless flow of data, there is hardly any reason supporting why India should not locally protect its sensitive personal and organisational data.

Last year, MNCs operating in the country scrambled to try and meet an RBI-mandated deadline to store Indian users' financial data in the country. This was a major step towards "data localisation". Most large domestic companies were delighted as the government firmed up its stance on storing the data of Indian users in the country. Data localisation is a concept. It fortifies the need for processing and storing the personal data of a country's residents within that country. As of now, much of cross-border data transfers are governed by individual bilateral "mutual legal assistance treaties".

Data security is a global issue because most countries are facing data security problems — personal, corporate, organisational or military. While China's Huawei and ZTE have been in news in the western world and in its Pacific allies such as Japan, Australia and New Zealand on account of security concerns, there is no reason to believe that other big telecom companies and equipment manufacturers could be trusted with sensitive data. Last year, the intelligence chiefs of USA, UK, Canada, Australia and New Zealand held a meeting to make plans on publicising their concerns about allowing Huawei equipment to operate in their countries and governments. UK's state-run laboratory, set up specifically to evaluate Huawei hardware and software, reported 'shortcomings' in Huawei's engineering processes that raised security risks. Following a big push from the British government, Huawei agreed to spend $2 billion to address the issues. In August, last year, the US Congress passed a law specifically prohibiting US government agencies from purchasing or using telecom and surveillance products from Chinese companies like ZTE and Huawei, which have been particularly named in the law.

India needs its own set of personal data protection laws and regulations as the country is fast moving towards a digital economy. Incidentally, Supreme Court in a landmark judgement has declared privacy as a fundamental right of any individual. The Srikrishna Committee, responsible for drafting the Bill, has noted the need for a legal framework that can act as a template for developing countries across the world. The expert committee took into account three key approaches to data protection that are currently being adopted by other countries. They are: America's sectoral, EU's omnibus regulatory approach and China's data protection approach for averting national security risks.

The proposed Indian law awards the sense of rightfulness to the individual by calling them "data principals" and pronouncing a duty of trust for organisations by calling them "data fiduciaries". EU has termed individuals whose personal data is being processed as "data subjects" and organisations responsible for determining the purpose of processing "data controllers". The Bill introduces a set of new obligations such as periodic data audits, maintaining the records of data processing and performing data protection impact assessments. The obligations identified in the draft bill will be applicable not only to data fiduciaries established in India, but also to data fiduciaries carrying out the systematic activity of offering goods and services to data principals in India or performing any activity that involves profiling of data principals within the country. Unfortunately, the latter seems to have become a concerning issue for some foreign countries, their businesses and trade organisations.

(The views expressed are strictly personal)