This is part two of a three-part series on the impact of the Data Protection Bill on businesses. Read part one here and part three here.

In a nutshell

• Data localisation will likely increase the infrastructure costs of startups

• Cross-border sensitive personal data flow will become quite difficult

• It could become difficult to negotiate and work with foreign companies

“If you’re given the information about what rights you have over your data, you’re likely to use it more.”

Expedited digitization of the economy and easier access to the internet has made data security extremely challenging. With the aim for a specialised but comprehensive legislation, the Joint Parliamentary Committee proposed levying new compliances and requirements for data protection on businesses in India. The new draft law demands an infrastructure that keeps customers informed and notifies about data collection and processing at all times. The other option? Pay hefty penalties or go out of business. 

So what does it mean for startups in India?

Since investment on data protection tools and data localisation are going to increase operational  costs, startups are right to be worried about slower growth and increased losses. While speaking at an ADIF webinar on the Impact of Data Protection Bill, 2021, on Indian Startups, The Quantum Hub’s Deepro Guha discussed the objectives and possible impact of data localisation. 

“India creates a lot of data — one of the highest amounts in the world. Keeping that data to innovate further and create services are part of the broad goals of data localisation,” Guha said. 

Citing reasons of national security, speedy redress of cases and data sovereignty, the JPC has retained the data localisation mandate in the Bill. It, in fact, suggested that India gradually exploit the mandate and incentivise investments to build a data storage ecosystem in India.

The Bill categorises data into 3 types:

I. Personal Data: Personal data may be stored abroad, but needs a “serving copy” of the data to be stored on a server in India

II. Sensitive Personal Data: Sensitive personal data may be stored and processed abroad, but only with the explicit permission of the DPA/Govt

III. Critical Personal Data: Critical personal data can be stored and processed in a data server located only in India 

Specifically, all sensitive and critical personal data must be stored in India and can only be transferred outside India for processing but under certain conditions and with the approval of the DPA and the central government.

The JPC has also suggested that the central government should take steps to ensure “that a mirror copy of the sensitive and critical personal data which is already in possession of the foreign entities be mandatorily brought to India in a time-bound manner”. This suggestion, however, has not been reflected in the JPC’s edits to the Bill.

Objectives of Data Localisation

One of the most important aspects of the proposed laws in the Bill is data localisation. So, why did the government include these clauses which require local storage/processing of data?

• Having well-defined data protection laws can improve the efficiency of governing data and help law enforcement during breaches and misuse.

• India’s data laws aim to protect user data of citizens by preventing foreign surveillance.

• A positive aspect of data localisation for startups lies in the fact that it will fuel the growth of the data ecosystem in India. Data can be kept in India and used to further innovate to create services and create a level playing field for Indian startups pitted against foreign giants of an industry.

Possible Impacts Of Data Localisation
With its data localisation mandate, the JPC seems to want to bring data home, even the data that’s gone. While believing that storing data in the country is going to encourage more and more Indian data centres, it’s clearly missing some crucial arguments.

1. In an ICRIER survey of 225 startups, 186 reported that their infrastructure costs will increase by an average of 10% if data localisation is enforced. Probably in response to the cost narrative, the government in the recent Budget announcement gave data centres and data storage systems “infrastructure” status for easier financing. Further, sufficient subsidies for setting up data infrastructure should be given for Indian startups. 

2. The government assumes that storing data in India is the solution for protecting data. But in this attempt, it misses the focus on strengthening adequacy and transfer tools. Implementing data localisation will mean that cross-border sensitive personal data flow will become quite difficult.  

“A lot of startups use cloud computing services. However, if these data localisation measures are implemented then sending sensitive personal data to a foreign cloud server will be difficult. You will have to get individual contracts approved by the government, leading to delays in time and increased costs,” Deepro Guha pointed out at the ADIF webinar.

3. It’ll be difficult to negotiate and work with foreign companies due to data localisation mandates.   

4. The government is yet to clearly define critical personal data. On the other hand, the definition of sensitive personal data is broad and doesn’t consider the many facets to different categories of data. For instance, there is a case of confusion when it comes to financial data, with the government not specifying which types of financial data will be treated as sensitive personal data.

There’s a risk of fragmenting the internet if other jurisdictions react to these localisation mandates. The government should focus on laying down well-defined strategies for data governance instead of proposing hard localisation mandates. For example, alternatives to data localisation such as APEC Cross-Border Privacy Rules (CBPR) could be considered. 

With research inputs from The Quantum Hub.