Posted on January 7, 2021
Co-authored by Tanya Varshney and Varun Anand*
In simple terms, ‘data localization’ means storage of data within the local limits of the jurisdiction of the data subject. With the challenges posed by the COVID-19 pandemic, people are using online services across the world and connecting with others in many different jurisdictions. Such free flow of data and information also raises questions such as applicability of national data protection laws, jurisdiction of courts, exercising the rights and remedies of data subjects in foreign jurisdictions, etc. In this regard, some jurisdictions (such as the European Union) have imposed restrictions on cross-border transfer of personal data. This article analyses the data localization versus free flow of cross-border data arguments in the context of the Indian laws.
The primary legislation with respect to data protection in India is the Information Technology Act, 2000 (“Act”) read with the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 (“Rules”). Under the Rules, ‘personal information’ is defined as any information that relates to a natural person, which, either directly or indirectly, in combination with other information available or likely to be available with a body corporate, is capable of identifying such person. The definition does not specify whether a ‘natural person’ should be situated in India.
Transfer of data is covered under Rule 7 which states that the body corporate may transfer “transfer sensitive personal data or information including any information” to entities outside India if such entity ensures the same level of data protection as mandated under the Rules. Additionally, the transfer would be allowed if (a) it is necessary for the performance of a lawful contract or (b) the data subject has consented to such transfer.
The Srikrishna Committee Report, 2018 (“Report”) acknowledges that free flow of data across borders is essential for a free and fair digital economy, but certain regulations are necessary when data controllers wish to transfer personal data outside India. Referring to the White Paper of the Committee of Experts on a Data Protection Framework for India, the Report suggests that the cross border transfer of data may be subject to preconditions of adequacy and comparable level of protection for such data. ‘Adequacy’ test means whether a country possesses adequate level of protection for personal data. The White Paper recognizes that personal data is of different types (as even under the Indian scenario it is “personal data” and “sensitive personal data”) and thus a “one-size-fits all” approach would be untenable. India, being a developing country, also has the additional burden to catch up to the technological advancements of other nations. Thus, cross-border transfer of data may prove to be an attractive option for the digital economy. The Report recommends that a Data Protection Authority should draft a model contract for such transfers and mandate transferring entities to incorporate such model clauses. The model contract will contain the key obligations on transferee entities as per the Indian law, including security, purpose limitation, storage limitation and a responsibility to fulfil rights of individuals. The Report also suggests audits and self-certifications to be regularly done to further ensure that adequate protection is taken.
The Reserve Bank of India (RBI) also issued the circular RBI/2017-18/153 “Storage of Payment System Data” dated April 6, 2018 under Section 10(2) read with Section 18 of Payment and Settlement Systems Act 2007. The RBI observed that various system providers were storing the payment data of customers outside India and it was difficult to monitor the same. The RBI noted that “it is important to have unfettered supervisory access to data stored with these system providers as also with their service providers / intermediaries/ third party vendors and other entities in the payment ecosystem”. The RBI directed, in the said circular, that the system providers shall ensure the data relating to payment systems in only stored in India including the full end-to-end transaction details (this would mean even from the stage of initiation of the payment, adding bank details, receiving the ‘One Time Password, etc), except the “foreign leg” of the transaction. In other words, the actual receipt information generated outside India.
In India, with the introduction of the Draft Personal Data Protection Bill, 2019 (“Bill”), “cross-border flow of data” finds itself in various provisions. In terms of Section 7, the data fiduciary should give a notice to the data subjects regarding any cross-border transfer of the personal data that the data fiduciary intends to carry out. Under Section 23, the data fiduciary is obligated to be transparent about the cross-border transfers of personal data that it generally carries out. Under Section 49, the Adjudicating Authority shall also monitor such cross-border transfer of personal data and also has the power to suspend the same.
In terms of Section 33, ‘sensitive personal data’ can be transferred outside India, but shall continue to be stored in India subject to explicit consent given by the data subject for such cross-border and the conditions laid down under Section 34, namely:
- the transfer is made pursuant to a contract or intra-group scheme approved by the Adjudicating Authority with such contract providing effective protection of the rights of the data subjects and lay down the liability of the data fiduciary in respect of such transfer; or
- the Central Government has allowed the transfer to a country or, such entity or class of entity in a country or, an international organisation on the basis of an adequacy decision and assessment that the transfer shall not prejudicially affect the enforcement of relevant laws by authorities with appropriate jurisdiction; or
- the Adjudicatory Authority has allowed transfer of any sensitive personal data or class of sensitive personal data necessary ‘for any specific purpose’.
In terms of Section 33(2) ‘critical personal data’ can only be processed in India. However, Section 34(2) any critical personal data may be transferred outside India if:
- the transfer is made to a person or entity engaged in the provision of health services or emergency services where such transfer is necessary for prompt action; or
- the transfer is made to a country or, any entity or class of entity in a country or, to an international organisation, where the Central Government has deemed such transfer to be permissible and where such transfer in the opinion of the Central Government does not prejudicially affect the security and strategic interest of the State.
While ‘sensitive personal data’ has been defined under the Bill to include a wide range of information such as financial data, health data, sexual identity and orientation, biometric data, caste, religious beliefs, etc., ‘critical personal data’ has not been defined. The explanation to Section 33 states that the Central Government may notify the categories of personal data to constitute ‘critical personal data’. The Bill has given the Government authorities significant discretion to monitor and regulate the cross-border flows of data. The Bill also does not set out any parameters for the Central Government to make its decision for categorization of critical personal data. This may indicate the Government’s slight bias towards data localization, especially in light of the recent take down orders and bans. (See here and here).
In the European Union, Chapter 5 of the General Data Protection Regulations (“GDPR“) governs the transfers of personal data to third countries or international organization. The cross-border data transfer is only permitted if the data processor and the controllers comply with Articles 44-50 of the GDPR (in addition to the other basic obligations thereunder). Firstly, cross border transfer is permitted where the European Commission (EC) decides that such third country ensures an “adequate level of protection”. In other words, the EC examines the adequacy of the data protection laws and data security standards of other countries and gives them a “green light” to go ahead. The EC has given this green light to a few jurisdictions including Canada, Japan, New Jersey, amongst others. Secondly, cross-border transfer is permitted where controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available in such third countries. Thirdly, cross-border transfer is permitted where there is an international agreement with the third country and the data is required by any judgment of a court or tribunal and any decision of an administrative authority of a third country. Aside from the above, certain derogations are permitted for cross-border transfers under Article 49 such as where the data subject has been made aware of the security risks and has explicitly consented to the proposed transfer, transfer is necessary for the performance or conclusion of a contract between the data subject and controller, public interest, legal defense, transfer is necessary in order to protect the vital interests of the data subject or where the data subject is incapable of giving consent, and by the Government.
Conclusion and Recommendations
There are many policy-based arguments which can be made favoring both data localization and free flow of cross-border data transfers. In an age where cyber security and threats of that nature are far more likely than the older notions of battle or war, data localization helps prevent foreign surveillance by maintaining a higher standard of control over who gets access. Two, it allows local law agencies to monitor and get access to data with ease, for example, they could use their access to the data to either maintain a watchlist of potentially dangerous individuals, or look through conversations or posts to determine who might pose a threat to the country and its sovereignty, which in turn helps them to detect crimes or any similar violations of the law.
The localization of data may help local industries grow and develop, and likely increase jobs and provide a competitive edge to local businesses over their foreign competitors. This could also attract investors and result in economic development. Further, the growth of AI technologies is heavily dependent on harnessing data, so for the country to remain competitive in that arena, it would require that the data was processed within the country using local infrastructure built for specifically that purpose.
On the other hand, data localization also requires the creation of widespread infrastructure to store data in the Indian jurisdiction, requiring hefty investment and generating a barrier to trade. This would likely also result in increased prices on the data users, as companies attempt to pass the burden of the cost onto them or deter companies from providing services to Indian users. Presently, the internet’s functioning architecture is underpinned by the free flow of data, for example, cloud computing, which spreads data across various data centers to make affordable and convenient on-demand access to a shared pool of processing or storage facilities, while the actual physical location of the data remains largely invisible to users. This means that localization would prevent global companies from launching their products and services in India, cutting its citizens off from the latest global innovation engines and giving us a comparative disadvantage. Lastly, in terms of the user experience, instead of choosing a fast and cheap data service provider, data users would likely be forced to choose local data service providers who have next to no incentive to provide high quality services when faced with a lack of competition in the landscape.
With respect to concerns about national security, localization might not help local agencies if they do not have the necessary encryption key, especially when most communication (like WhatsApp for example) functions with end-to-end encryption. Also, localization of data may give a domestic government extensive control over the data of individuals, greatly increasing the likelihood of government surveillance, resulting in a potentially Orwellian violation of our right to privacy. In any case, India’s legal framework with respect to cross-border data transfers is still relatively in the nascent stage with the Personal Data Protection Bill still being under Parliamentary review.
*Tanya Varshney, Founder and Chief Editor of IntellecTech Law, is a practicing lawyer based in New Delhi focusing on Intellectual Property, Technology-Media-Telecommunications, Data Protection, Commercial Disputes and Corporate-Commercial work.
*Varun Anand, a final year law student at Jindal Global Law School, is interested in Technology-Media-Telecommunications and Data Protection laws and has undertaken and completed internships at leading law firms and think-tanks in these areas.
RBI/2017-18/153 “Storage of Payment System Data” dated April 6, 2018. Available at <https://www.rbi.org.in/scripts/NotificationUser.aspx?Id=11244>
 Section 49(g), Personal Data Protection Bill, 2019
 Article 44, General Data Protection Regulations.
 Article 45, General Data Protection Regulations.
 European Commission, Adequacy Decisions. Available at <https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en>
 Article 46, General Data Protection Regulations.
 Article 48, General Data Protection Regulations.