Among the many important laws that were introduced in the winter session of the Lok Sabha was the Personal Data Protection (PDP) Bill, 2019.
The draft law is a comprehensive piece of legislation that seeks to give individuals greater control over how their personal data is collected, stored and used. Once passed, the law promises a huge improvement on current Indian privacy law, which is both inadequate and improperly enforced.
Data localisation in draft Bill –
- One of the more contentious issues in the law Bill are the provisions pertaining to “data localisation”. The phrase, which can refer to any restrictions on cross-border transfer of data (for instance, requirements to seek permission for transfer, the imposition of taxes for foreign transfers of data, etc.), has largely come to refer to the need to physically locate data within the country.
- The PDP Bill enables the transfer of personal data outside India, with the sub-category of sensitive personal data having to be mirrored in the country (i.e. a copy will have to be kept in the country).
- Data processing/collecting entities will however be barred from transferring critical personal data (a category that the government can notify at a subsequent stage) outside the country.
Need for data localisation –
There are broadly three sets of arguments advanced in favour of imposing stringent data localisation norms –
- Sovereignty and government functions; referring to the need to recognise Indian data as a resource to be used to further national interest (economically and strategically), and to enable enforcement of Indian law and state functions.
- The second claim is that economic benefits will accrue to local industry in terms of creating local infrastructure, employment and contributions to the AI ecosystem.
- Finally, regarding the protection of civil liberties, the argument is that local hosting of data will enhance its privacy and security by ensuring Indian law applies to the data and users can access local remedies.
Charting a middle path –
- The security of data is determined more by the technical measures, skills, cybersecurity protocols, etc. put in place rather than its mere location. Localisation may make it easier for domestic surveillance over citizens.
- The degree of protection afforded to data will depend on the effectiveness of the applicable data protection regime.
- As far as privacy is concerned, this could be equally protected through less intrusive, suitable and equally effective measures such as requirements for contractual conditions and using adequacy tests for the jurisdiction of transfer.
- If privacy protection is the real consideration, individuals ought to be able to choose to store their data in any location which afford them the strongest privacy protections. It is argued that data of Indians will continue to be more secure if stored and processed in the European Union or California (two jurisdictions which have strong data protection laws and advanced technical ecosystems).
Further, in order for localisation-related norms to bear fruit, there has to be broader thinking at the policy level. This may include for instance, reforming surveillance related laws, entering into more detailed and up-to-date mutual legal assistance treaties, enabling the development of sufficient digital infrastructure, and creating appropriate data-sharing policies that preserve privacy and other third party rights, while enabling data to be used for socially useful purposes.
Source – The Hindu
QUESTION – One of the most contentious clauses in the Personal Data Protection Bill, 2019 is the issue of ‘data localisation’. Examine how India can pursue adequate protection of its data with minimum contentions.