Analysis of JPC report on Data Protection Bill 2019: Data Localisation
Data Localisation can be understood as a concept where restrictions are imposed on cross border transfer of data and data is mandated to be often stored within the country. These restrictions can be in any form, like a complete prohibition of transfer or allowing transfer after obtaining requisite permissions or taxation on transfer.
Recommendation 11 of the Committee Report directs that the Central Government must ensure a mirror copy of “sensitive and critical personal data” which is already in possession of entities outside India be obtained and brought to India in a time bound manner. The reasons provided by the committee are three fold. One, protection of privacy of citizens. Two, security of the state and three, economic and technological development. These are in line with the reasoning provided by the committee chaired by Justice Srikrishna.
However, over time many experts have questioned whether data localisation can actually achieve the states goals or will only result in increased and unchecked surveillance by the national state and it’s law enforcement agencies. It has been argued that, protecting of privacy through data localisation heavily relies on the strength of privacy laws in the country. If the country where the data is being stored itself allows for unchecked surveillance, data localisation is bound to fail to achieve protection of right to privacy. Considering the legal and policy framework that exists in India and wide reaching exemptions allowed to the central government in the Draft Bill (clause 12 and 35), data localisation is not a welcome move. This could lead to large scale surveillance of citizens.
There are other less restrictive methods which can also protect state interests of security and law enforcement rather that having a blanket law for data localization. Alternatives to data localization can be conditional transfer of data, better transparency standards and international agreements. It must be noted that data localisation norms can come with heavy costs for many data extensive businesses. There needs to be studies which look at data localization in terms of its impact on Free Speech, Government surveillance and Economic costs.
Data localisation could affect the principles of open internet and the way the internet functions. If each nation starts coming up with data localization requirements , the promise of a borderless digital space will be lost. Moreover, unless there are stringent safeguards protecting citizens from digital surveillance, localisation could lead to large scale surveillance by governments.
An argument raised in favour of data localisation is that it will generate employment and will also lead to better AI ecosystems. The validity of this assumption has been widely questioned. It is rather naive that Indian policy makers are relying on this assumption without conducting an in depth study of economic benefits accruing from this. In addition, it has also been argued that data localisation will not automatically translate into better AI development as the ownership of the data is still with the data fiduciaries. Therefore there is definitely a need for the government to rethink this argument.
Analysis of the clauses:
Clause 33 and 34 of the Data Protection Bill, 2021 are the provisions which deal with Data Localisation. Clause 33 provides for a conditional prohibition on cross border transfer of sensitive personal data, however, a copy of such data must be stored in India at all times. With respect to critical personal data, it provides for what may appear as an absolute prohibition on transfer. However, clause 34(2) allows for transfer of critical personal data as well. In addition, critical personal data shall be defined by the Central Government. There is no definition that has been provided for Critical Personal Data in the Bill.
Clause 34 provides for the conditions which need to be satisfied for transfer of sensitive and critical personal data. Sub clause 1 provides for conditions for transfer of sensitive personal data. The data fiduciary has to obtain an “explicit consent” from the data principal AND:
Where the transfer is made pursuant to a contract or intra group scheme. This scheme or contract must be approved by the Data Protection Authority in consultation with the Central Government. This phrase was not there in the 2019 version of the Bill, and has been added across the section. However, it is unclear if this consultation will be binding on the DPA or not. Further, the proviso lays down the conditions for approval of the scheme by the central government and the DPA. The committee has added an additional condition here for approval of the scheme, it is that the object of the transfer (and not the contract or the scheme) is against public policy or state policy.
The committee has also added explanations as what does an act against public policy or state policy means which are as below:
Promotes the breach of any law.
Is not in consonance with any public policy or state policy in this regard
It has a tendency to harm the interest of the state or citizens.
It must be noted here, that the explanation has been drafted in a very vague manner. For example, the phrase promotes breach of law, which means the transfer does not objectively have to breach a law, only promoting to do so, in the opinion of the DPA and Central Government is enough. Same applies to tendency to harm, what will be the standard of this tendency also gives wide discretion. Lastly, the condition of it being according to public policy. It must be noted that public policy, has always been a very broad concept and has been understood and interpreted by courts in different manner in different context and legislations. There have even been instances of court interpreting the term differently within the same legislation. This does not only give wide discretionary power to the government and the DPA but will also lead to multiple interpretational problems.
Where the Central Government after consultation with the Authority allows the transfer to a country or entity or a class of entities or an international organisation. Here the committee has added a condition that the transferred data shall not be further shared with any foreign government or agency unless an approval is obtained from the Central Government. This is a welcome addiiton as it will protect the citizens from being subjected to surveillance from governments of other countries.
Where the Authority in consultation with the Central Government has allowed for the transfer necessary for a specific purpose. This clause is absolutely vague and basically allows transfer for any purpose.
Sub clause 2, provides for transfer of Critical Personal Data. The conditions for such transfer are:
For the purpose of health or emergency services where prompt action is required under clause 12. In addition all transfers under this clause will be informed to the Authority within the prescribed period.
Where the central government deems such transfer to be permissible under sub clause 34(1)(b) AND it does not prejudicially affect the security and strategic interests of the State.
It must be noted here that NO consent from the data principal is required for transfer of critical personal data. There is a lack of clarity on what all will critical personal data comprise of. Keeping mirror copies of sensitive personal data could lead to state surveillance.