On data localisation, government must create a balance between privacy and commerce
Even Justice Srikrishna has conceded that localisation is not a perfect solution and that the government has the authority to relax conditions on data localisation based on the criticality of information and the situation
The government has asked American e-commerce major, Amazon, to set up a server in India in an attempt to prevent the unchecked migration of personal customer data. The last few months have seen an increase in demands for data localisation, with even the Reserve Bank of India calling for local storage of financial data. Although there is no law in India regarding data safety at present, the government is working on evolving a data protection framework. On July 27, after year-long public consultations, a committee of experts headed by former Supreme Court judge, BN Srikrishna, submitted its report on the principles that will guide the framing of India’s data protection statute. The draft bill has been put up for public consultation till September 5, after which it is likely to be sent for parliamentary approval.
According to the recommendations of the Srikrishna report, all personal data of Indian citizens must have at least one copy saved in India. Eight of the 10 most accessed websites in India are owned by US entities, says the report. To begin with, foreign e-commerce companies will be asked to set up servers in India, so that the personal data of customers, generated through e-commerce operations, stays within the country. The votaries of data localisation say it will facilitate easier access for law enforcement agencies for the purposes of investigation and prosecution. Those who criticise data localisation argue that it can hurt the economy and may create a fragmented Internet that goes against the intrinsic character of the Web as a borderless medium.
There have been concerns that the personal data that stays in servers within the country can be misused by the state. But one of the key features of the draft bill is the creation of a regulatory data protection authority that will address user concerns, including privacy and data protection. Also, in line with European Union’s General Data Protection Regulation, India’s draft data protection bill places user consent and specificity of purpose paramount for accessing such data. Even as the government appears to have made up its mind to go ahead with stronger data localisation norms, experts say a majority of Indian businesses might not have the technical wherewithal and resources to set up local clouds. Any final stand on stringent data localisation norms may ultimately have to take the middle path and balance the interests of the State, the people and businesses.
