The government’s stance on data localisation is significantly different from the old version of the Bill, in which it had categorised data as personal, sensitive and critical.
It had also said that certain categories of data would have to be necessarily stored in the country, while copies of other kinds would have to be retained within India for law enforcement purposes.
“Meta and Google (Alphabet Inc-owned entity) will find this changed localization stance very helpful. They were potentially facing huge challenges related to localization, law enforcement access, etc. This will give them a breather and more,” said public policy and cyber expert Prasanto K Roy.
ET reported on November 16 that data would be allowed to be transferred and stored in “trusted” countries, in the revised data protection Bill, since renamed as the Digital Data Protection Bill.
The government will decide which countries will feature under the ‘trusted’ category from time to time, officials said.
Experts said the new provisions on data transfer may also not run afoul of the earlier stance taken by the Reserve Bank of India (RBI), which had sought storage of payments data in servers located within the country.
“There will be zero impact on Amex, Mastercard and Visa. They have complied with the April 6, 2018, RBI directive, investing hundreds of millions of dollars… RBI is not bound to change its extant laws. Even if it hypothetically did, the card networks have already invested in localization and aren’t about to write it off,” Roy added.
He added that the central bank was exploring the possibility of making data processing inside the country mandatory as part of its 2025 vision. The new data transfer revisions “will encourage it to follow suit and at least allow processing in trusted jurisdictions,” he said.
India’s proposed decision is in line with what many other countries and blocs have put in place, especially the European Union’s General Data Protection Rules, lawyers said.
GDPR already has a third-country data transfer provision. It states that other jurisdictions should have similar policies and data protection laws as the EU and based on adequacy decisions, it has published a list of countries where data transfer is specifically permitted.
Some experts, however, warned that much will depend on the fine print of the revised draft legislation, since changing geopolitics can weigh on the countries eligible for such data transfer. The terms of data storage are also not known yet.
The impact on companies and people of allowing data storage in “trusted jurisdictions” will depend on the factors taken into consideration while deciding if a jurisdiction is “trusted” or not, the independence of the authority that makes this decision, the transparency of the process, and the avenues available to challenge the assessment, said Namrata Maheshwari, Asia Pacific Policy Counsel at Access Now.
“This will also have an impact on trade agreements between India and other countries, the kinds of companies that offer services in the Indian market, and the treatment of people’s data both within the country and outside,” Maheshwari added.
Arun Prabhu, partner and head, Technology, Media & Telecom practice at Cyril Amarchand Mangaldas said it could be beneficial as cross-border data flows take place within a similar framework.
“The regulatory logic behind it is that regulators continue to have access to that data,” Prabhu said. “And both regimes guarantee to each other that in practical terms as well as in terms of the law, they offer roughly comparable or equivalent levels of data protection or data security. So, if that is the approach, it may be beneficial; it will obviously depend on how this ‘trusted’ regime is going to be defined.”
While it could help simplify compliances for stakeholders in India and abroad, the lack of an existing framework would be an issue, said Anupam Shukla, Partner, Pioneer Legal.
“Without any international data privacy frameworks in place for India, much more clarity will be needed on how the cross-border transfer of Indian data will be regulated going forward,” he said.
Maheshwari also said that for any assessment on whether another jurisdiction is trusted, India itself needs to have a strong data protection framework “with privacy safeguards that inspire trust.”
ET reported that criminal penalties proposed on staff of companies involved in data breaches would also be scrapped in the new draft, which is likely to be released for public consultation this week.
Instead, financial penalties of as much as Rs 200 crore, multiplied by the number of users impacted, will be imposed per breach, an official said.
A Data Protection Board will be set up to “adjudicate the consequences of any data breaches,” the official added.
The revised draft will also drop provisions on regulating non-personal data and social media.
Some early-stage startups will be exempted from the provisions of the Bill.