Data localisation has assumed increasing significance in India over the past year or so, and has been included in a number of legislative and regulatory changes that have taken place or been proposed during this period.
A brief overview of the key features of these changes is set out below:
Localisation of Payment Data
In April 2018, the Reserve Bank of India (the RBI) issued a circular requiring all payment gateways along with their service providers / intermediaries / third party vendors and other entities in the payment ecosystem to store payment related data locally in order to enable “better monitoring” and “unfettered access” to the payment related data of Indian customers. Payment related data includes full end-to-end transaction details and information collected / carried / processed as part of the payment instructions.
Whilst many foreign payment systems providers were strenuous in their resistance to this requirement, the RBI held firm, and enforced its 15 October 2018 deadline for compliance.
Data Localisation under the Draft Personal Data Protection Bill, 2018
A draft Personal Data Protection Bill (the PDP Bill) was first released in July 2018 in which a key feature has been the introduction of a data localisation requirement.
The Bill provides that one copy of all personal data must be held on a server located in India. The Bill further provides that certain categories of “critical personal data” (which will be notified by the Government in due course) can only be processed in India.
We have previously prepared a more comprehensive review of the PDP Bill, which can be found here.
Draft Information Technology (Intermediaries Guidelines (Amendment) Rules), 2018
In December 2018, with a view to curbing “fake news” online, the Ministry of Information and Technology proposed changes to the guidelines governing intermediaries under the Information Technology Act, 2008 (the Intermediary Guidelines).
One of the proposed changes requires intermediaries (which include social media platforms, telecom service providers, network service providers, internet service providers, web-hosting service providers, search engines, online payment sites and online-market places) that have more than 5 million Indian users or which have been notified by the Government to establish a physical presence in India.
Under the proposed Intermediary Guidelines, such intermediaries will be required to: (a) incorporate a company in India; (b) have a permanent address in India; and (c) appoint local nodal officers to coordinate with Indian law enforcement agencies and ensure compliance with Indian law.
It is proposed that an intermediary will only be able to claim “safe harbour” protection for actions taken by its users, if it is in compliance with the requirements of the proposed Intermediary Guidelines.
Draft E-Commerce Policy, 2019
In February 2019, the Department for Promotion of Industry and Internal Trade published a draft e- commerce policy (the E-Commerce Policy). In addition to addressing other data related issues such as the need to create a “legal and technological framework” that can “provide the basis for imposing restrictions on cross- border data flow”, the E-Commerce Policy highlights the need to develop India’s capacity for data storage by building local data storage infrastructure.
The E-Commerce Policy contemplates the creation of data storage infrastructure including data centres, server farms and tower stations and the promotion of domestic alternatives to foreign-based cloud services and email facilities. The policy proposes a three year time frame for the transition of data storage to within India.
Changes Expected To Be Implemented Soon
Accordingly, Indian authorities have attached considerable importance to data (which has been referred to as the “new oil” in various government documents) and ensuring that they will have sufficient jurisdictional control over data that has an Indian element. Following the conclusion of the general elections in May, the Government is now likely to move quickly in implementing its proposed legislative and policy changes.
The changes have met with significant criticism from various quarters:
- The EU and the US have both said that such moves are discriminatory and create significant trade barriers.
- A global coalition of 31 experts has written to the Government asking for the withdrawal of the Intermediary Guidelines on the grounds that such amendments will undermine digital security and threaten users’ privacy and free expression.
- NASSCOM, a software services industry association, has suggested that the data localization conditions in the E- Commerce Policy should be removed as it is unclear how these will promote e-commerce growth in India, and data localization will be in any event covered in the PDP Bill.
However, the Government appears to be firm in its resolve to push these changes through. At the recent G20 meeting in Japan, India did not support the Data Free Flow with Trust initiative relating to global rules on e-commerce (which seeks to eliminate restrictions on cross border transfers of information). At the meeting, the Indian Commerce and Industry Minister said that countries must have the sovereign right to use their data for the benefit and welfare of their own people, and India will need to formulate its own legal and regulatory framework before meaningfully engaging in global e-commerce negotiations. The Information and Technology Minister has separately said that his top priorities will be to bring the PDP Bill to Parliament and notify the proposed amendments to the Intermediary Guidelines as soon as possible. Recent reports suggest that the PDP Bill is awaiting cabinet clearance and will shortly be introduced in the current session of Parliament.
Accordingly, companies that deal with data which has an India element will need to comply with localisation requirements in the very near future. They should also be aware that such localisation requirements overlap between different legislations and regulations, and it will be important for them to identify the requirements that will apply to them.
We are monitoring these developments closely and will be happy to provide further information in this regard.
This material is for general information only and is not intended to provide legal advice. For further information, please contact: