What's New :
History Foundation 2022 (Batch - 6): Batch will be started from 10th December, 2021
Public Administration Foundation 2022 (Batch - 7), New Batch will be started from 13th December, 2021
Political Science Foundation 2022 (Batch-4), Batch will be started from 09th Dec, 2021
IAS Foundation 2023-24: New Batch will be started from 14th December, 2021

Data Localization

  • Category
    Economy
  • Published
    4th Nov, 2018
  • Like in many other countries, the political narrative in India also seems to be tilting towards data localization. This may be gauged from recent developments in the regulatory and policy framework on data governance, which may compel companies to set up their centres within Indian shores.
  • Goals set in the Draft National Digital Communications Policy 2018, along with various government notifications and guidelines such as Reserve Bank of India’s notification on Payment Data Storage 2018, and the Guidelines for Government Departments for Contractual Terms related to Cloud Storage 2017, show signs of data localisation.

Issue

Context:

  • Like in many other countries, the political narrative in India also seems to be tilting towards data localization. This may be gauged from recent developments in the regulatory and policy framework on data governance, which may compel companies to set up their centres within Indian shores.
  • Goals set in the Draft National Digital Communications Policy 2018, along with various government notifications and guidelines such as Reserve Bank of India’s notification on Payment Data Storage 2018, and the Guidelines for Government Departments for Contractual Terms related to Cloud Storage 2017, show signs of data localisation.

About:

Data localization is a measure adopted to give countries increased control over the data    belonging to their citizens and residents. Due to the transient and pervasive nature of data on the internet, its security is constantly threatened and indeed been breached at several instances. Data localization is therefore conceived as means of enforcing data protection regime to secure data of the citizens and the critical interests of the nation state. This is achieved through:

  • Restricting the transfer of data across national borders.
  • Preventing transmission of data through enforcement of rules.
  • Retaining copy of data within the country which have been exported.
  • Taxing the export of data
  • Enforcing applicable laws of the country vis-à-vis data security.

Data localization has become an indispensible aspect of the data protection regime of the modern nation-states in the era of digitalization and ubiquitous presence of internet. China, Russia, Australia, Canada, European Union and several other countries have already adopted data localization provisions. In this respect it becomes imperative for India to devise policy and regulatory framework consistent with current international practices to protect and localise data.

Cloud computing refers to the provision of software, storage and other services to customers from remote data centres. It allows companies to use programs at lower operational costs as programs and data are not stored at the customer’s own data centres, or on their desktops.

Background:

Various numbers of policy and regulatory initiatives in the recent past regarding data protection have set the ball rolling in India for data protection and data localization.  Although, the initiative are yet to be implemented and are in embryonic stage, these are clear indication of growing consensus on data localization.

  • The recent reports by Justice B. N. Srikrishna Committee and the Personal Data Protection Bill, 2018 underlined the following recommendations for data protection
    • All personal data to which the law applies must have at least one serving copy stored in India
    • In respect of certain categories of personal data that are critical to the nation's interests, a mandate is intended to be made to store and process such personal data only in India such that no transfer abroad is permitted
    • Central Government will be vested with the power to exempt transfers on the basis of strategic or practical considerations.
  • The e-commerce policy conceived in e-commerce draft bill 2018 mandates data localization in India. It underlines that:
    • Mandating data residency makes it easier for the government to have access to data without dealing with privacy laws in other jurisdictions.
    • The policy provides incentives like waivers on import duties and other taxes that are needed to set up data storage centres. There’s a two-year sunset clause by which e-commerce entities would have to move personal data to India.
    • The bill suggests the creation of a social creditworthiness database using data from bank accounts created under the Prime Minister’s Jan Dhan Yojana, from Aadhaar, and mobile phones (collectively called the “JAM Trinity”).
    • The bill envisages re–examination of National Encryption Policy 2015, to provide government access to personal and institutional data held by corporate in times of problematic and security related situations.
  • Reserve Bank of India early this year came out with directives for financial entities to restrict the data related to the payment system within India. It is observed that not all system providers store the payments data in India. It has, therefore, been decided that:
    • All system providers shall ensure that the entire data relating to payment systems operated by them are stored in a system only in India. This data should include the full end-to-end transaction details/information collected/carried/processed as part of the message/payment instruction. For the foreign leg of the transaction, if any, the data can also be stored in the foreign country, if required.
    • System providers shall ensure compliance within a period of six months and report compliance of the same to the Reserve Bank latest by October 15, 2018.
    • System providers shall submit the System Audit Report (SAR) on completion of the requirement.
    • The audit should be conducted by CERT-IN empanelled auditors certifying completion.

Existing data protection framework in India

Presently, there are neither existing specific regulations nor any vested body for data protection in India. The digital era has triggered concerns about data protection. For mitigating against privacy concerns and national security concerns, the Indian legislature and governments have over the years passed some laws in this regard:

1.

General Application: Information Technology (Reasonable Security Practices and Sensitive Personal Data or Information) Rules, 2011

2.

Govt. Collection of Data: Aadhaar (Targeted Delivery of Financial and other Subsidies, Benefits and Services) Act, 2016; Aadhaar (Data Security) Regulations, 2016

3.

Banking Sector: Credit Information Companies (Regulation) Act, 2005; Credit Information Companies Regulations, 2006; circulars of Reserve Bank of India including KYC circulars; Master Circulars on credit cards, etc.; Master Circulars on Customer Services; Code of Bank's commitment to Customers

4.

Telecom Sector: Unified License Agreement issued to telecom service providers by the Department of Telecommunications; Telecom Commercial Communication Preference Regulations, 2010

5.

Healthcare Sector: Clinical Establishments (Central Government) Rules, 2012; Indian Medical Council (Professional Conduct, Etiquette and Ethics) Regulations, 2002

You must be logged in to get greater insights.
X
Enquire Now