23 May 2022
What is meant by data localization?
Data localization refers to storing data on a physical device within the territorial limits of the same country in which it was processed.
As per the Joint Parliamentary Committee’s Report (hereinafter referred to as the “JPC Report”), data localization “in broad terms, implies restrictions on the cross-border movement of data.” The Report categorizes data localization into the following:
- Hard localization: where transfer of data outside the country is forbidden and data is required to be stored within the country.
- Soft localization: where data is primarily stored within one country but also permitted to be transferred to other countries.
Global History of Data Localization
One of the earliest attempts to localize data was made in 2005 when Kazakhstan introduced a law that required all the data saved on “.kz” domains to be stored in Kazakhstan.[i] A decade later in 2015, Russia’s Federal Law No. 242-FZ[ii] was introduced which required operators to process personal data of Russian citizens using servers located in Russia.
In the years that followed, numerous countries considered or implemented legislation that mandated the storage of personal data relating to individuals residing in that country, within the county. In 2014 alone, about twenty governments proposed that technology companies store their data in data centres located within the country.
Data Localization Measures in India
A. Before the JPC Report
Prior to the introduction of the Data Protection Bill, 2021, data localization norms were implemented and proposed in various sectoral regulations. In 2018, the RBI issued a directive under the Payment and Settlement Systems Act 2007, which mandated that all data relating to payment systems operated by system providers is to be stored in a system in India. The data required to be localized includes end-to-end transaction details, information collected, carried, or processed as part of the message, or payment instructions.[iii] Accordingly, the RBI barred Mastercard[iv] from issuing new debit or credit cards to Indian customers for violating the said local data storage rules.
The Consolidated FDI Policy of 2020 also imposed a condition on the broadcasting sector which prohibited a company from transferring the subscribers’ database to any person or place outside India unless permitted by relevant law.[v]
The Draft Drugs and Cosmetics Amendment Rules, 2018[vi] also proposed the establishment of an e-pharmacy portal in India for the sale and distribution of drugs through a web portal and required the data generated on the portal to be localized. A proviso to this rule also prohibited the transfer or storage of data generated or mirrored through the e-pharmacy portal outside India.
B. After the JPC Report
The significance of storing data processed in India within the country was discussed at length by the Joint Parliamentary Committee on Data Protection[vii] while recommending changes to the Personal Data Protection Bill of 2019 (“Bill”). The Indian Data Protection Bill provides for soft data localization norms by permitting the transfer of sensitive personal data outside India on the condition that such data is continued to be stored in India.
The Joint Parliamentary Committee acknowledged India’s role in global data flows and drew attention to the rising significance of data localization by citing that Information Technology (IT) and IT-enabled services account for about forty percent of India’s exports. Further, about sixty-five percent of India’s IT and IT-enabled services produced are for clients across the globe.
While considering the benefit of data sharing and digital collaboration, the Committee stressed the need for data localization norms to mitigate risks associated with cross-border data flow and for the achievement of objectives like:
- Information privacy
- National security
- Timely access to data by law enforcement agencies
- Employment generation from the development of data centres within the country
- Bargaining power to encourage data-based innovation
In furtherance of India’s objective of implementing data localization norms, the Indian Computer Emergency Response Team (CERT-In), the national nodal agency for responding to computer security incidents, recently directed[viii] all service providers, intermediaries, data centres, body corporates, and government organizations to maintain logs of all their ICT systems for a rolling period of 180 days within the Indian jurisdiction.
Impact of Data Localization in India
In many regions, data protection and privacy legislation are centered around consumer protection or the safeguard of data subjects’ rights over their data. As a consumer’s understanding of the rights and value of the data relating to them deepens, it may give rise to concerns over the safety of their data.
As per the Joint Parliamentary Committee’s Report on the Bill, in absence of data localization norms, residents and citizens of a country may have limited opportunities to have any compromise to their data remedied. Data localization may, therefore, aid the exercise of consumers’ rights over their data
Implementation of data localization norms in India would promote digital development in India by encouraging Indian companies to use data storage and hosting facilities within India. To comply with data localization rules, foreign IT companies will also be encouraged to establish their data centers in India, thereby increasing foreign investment in India.
Storage of data processed in India within the country will also enable easy access to data for Government and law enforcement agencies, thereby facilitating better enforcement of the law.
The Way Forward
There are no two views that the digital economy is growing by leaps and bounds, even if this growth comes at a cost. Data localization has always been considered a way to reduce damage to systems but is accompanied by its own set of challenges like the increase in regulatory complexity which may affect innovation and economic growth.
This impact is also reflected in several ongoing global events, including Meta, as it expressed concerns over the future of its products and services including Facebook and Instagram in Europe after its reliance on standard contractual clauses for the transfer of user data was held non-compliant with the law by the Irish Data Protection Commission.[ix]
However, many countries, including India, continue to strictly enforce this aspect of data protection for several reasons, including those mentioned earlier in this article. In the Budget for 2022-2023, data centres were included in the list of infrastructure to facilitate credit availability for digital infrastructure.[x] Further, India received Microsoft’s largest data centre investment.[xi]
With the Joint Parliamentary Committee’s recognition of the rising threats to data, particularly the cross-border transfer of data, and its recommendations to the Central Government, sectoral data localization norms and policies can be expected to only increase in India.
Disclaimer: This article is the copyright of Reina Consulting LLP. It is not intended to be a form of solicitation or advertising. The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is viewed or that it will continue to be accurate thereafter. No person should act on such information without appropriate professional advice based on the circumstances of a particular situation. This information is not to be considered as legal advice or opinion and the firm shall not be liable for any action taken by the user, directly or indirectly, on the basis of such material.