India and Data Localisation - Current Scenario

Staunch opposition from the US on countries calling for data localisation, let us see where India stands in this scenario.

The Internet generates huge amounts of data. Majority of the world’s big technology companies reside in the US and the data thus collected is stored in the US.
Data Localisation refers to regulations that enable a country’s citizen’s data to be within the boundary of that country.
In effect, the technology companies have to set up data storing centres within the country where data originates.

In 2018, the Justice Sri Krishna Committee supported data localisation on the grounds that it is critical for law enforcement.
Access to data stored in other countries is dependent on many rules and regulations of that country and exhorts legal issues.
The report thus suggests keeping at least a copy of data generated within the country.
Also, in the international arena, there is no level playing field in technology.
Developing countries like India may be reaching the levels of developed nations, but data must be stored locally to protect it from foreign surveillance.

At present, there are no systematic laws related to data protection in India.
The only rule that requires data to be stored locally is of RBI’s rule on payment systems.
RBI norms require storage of all payment systems data within the country.
The Sri Krishna Committee Report is a white paper on data localisation available for the public.
The recent Draft Personal Data Protection Bill, 2018 has many requirements related to data localisation.
The draft e-commerce policy is another proposed law that calls for data localisation. It calls for the prohibition of transfer of user’s data to third parties other the parent company of the Indian e-commerce entity.

The major reason companies are reluctant to comply with data localisation is the costs.
Costs in the form of servers, USPs, generators, cooling costs, personnel, and buildings.
Companies are also of the view that Indian is not yet ready to have such infrastructure and ecosystem.
It is estimated that about 10% to 50% costs may increase for any large e-commerce player in the country depending on how strict the final law is.
But, this might not be an issue for big e-commerce and social media players.
It is the small companies that suffer.
Though the guiding spirit for the Indian Data Protection Bill is the EU General Data Protection Regulation (GDPR), from academic depth to extensive consultations, the Indian bill is far from perfect.

On India’s data protection laws the EU had stated that data localisation causes unnecessary impediments to companies in the form of costs and they might lead to fewer investments.
EU also noted that it will hamper commercial data exchanges and further it may be an impediment to India-EU free trade agreement that is under negotiation.
Going ahead, India needs to assess its current stringent data localisation norms and have to consult more with the firms and academia to bring out an effective law that will satisfy all.