Data Localisation in India: Dilemma Continues
Updated: Jun 2
Satyam Rathore, Associate, K&M Partners
Localisation of personal data has been an issue which has drawn attention of the corporate world as well as those involved in policy formulation, ever since the recommendation of the Justice BN Srikrishna Committee and the Draft Personal Data Protection Bill 2018 came into the public domain. The issue has drawn critical attention of many multinational corporations as they face heavy financial burden for both implementation of such a scheme by scaling up necessary infrastructure and also in the form of penalty in case of failure to comply with the provisions.
Along with the introduction of various new key concepts such as evolution from the notion of data controller and data subject to a more trust based fiduciary relationship between data principal and data fiduciary, the 2018 Bill laid down the provision for localisation of personal data in terms wherein at least one copy of the personal data had be stored in India(data mirroring) , while such personal data could have been transferred outside India for processing, as long as data mirroring was adhered to. It is important to note that for the purpose of the cross border transfer of personal data, the said personal data as per the definition provided in the said Bill meant to include financial data, which formed a part of sensitive personal data under the said Bill.
Therefore on a careful analysis of the provisions thereunder the 2018 Bill, financial data, i.e. any financial data identifiable to a person such as credit card details, bank payment transaction details, could have been transferred across the border, provided a copy of such data was stored in India. It is important to note that although the said provision provided a burden on the fintech companies, especially the multinational corporations having global data storage and processing servers, which in many cases are centralised globally at a particular location, as they were to bear additional cost for setting up the necessary digital infrastructure in India, despite of that the 2018 Bill provided for transfer of such data outside India for the purpose of necessary processing with a copy of the same in India.
Subsequently, the Data Protection Bill, 2019, which was introduced in the Parliament post consultation with the necessary stakeholders, has surprisingly further stiffened the provisions related to cross border transfer of personal data, more specifically financial data, wherein the requirement for storage of a copy of such data in servers located in India has been done away with and in place such financial data have now to be strictly stored only in India in original. It is pertinent to note that under the 2019 Bill, such financial data could only be transferred for the sole purpose of processing outside India, provided that the data principal, i.e. the data owner has expressly consented for such transfer. Therefore, unlike the 2018 Bill, the 2019 Bill has made storage compulsory in India, thereby discarding the applicability of data mirroring completely.
Although the Personal Data Protection Bill, 2019 has still not been enacted as a law, which if enacted in the present form can tighten the noose for the fintech companies, however the sectoral regulation in the form of a Reserve Bank of India notification data 8th April 2019, has effectively imposed the data localisation norm since a considerable amount of time now. As per the said notification, the fintech companies, other companies and banks are already directed to store all financial transaction data strictly in India. Such a mandate has already drawn concerns of various multinational entities with their prime concern being bearing of additional cost for compliance of such a strict data localisation enforcement. Corporations such as WhatsApp Inc has been entangled into a legal dispute on the issue due to which the much anticipated launch of WhatsApp Pay in India has been on hold for a considerable time.
Further it is pertinent to note that the Joint Parliamentary Committee to which the Personal Data Protection Bill 2019 has been referred to for scrutiny, is yet to submit its report to the Parliament, which is mostly expected to be submitted in the upcoming Monsoon Session of the Parliament , as we see that the current economic crisis due to COVID-19 pandemic is set to escalate in the coming days, it would be interesting to see the response of all the stakeholders including the Indian Government and the multinational foreign companies involved in or related to financial data, over the issue of compliance of the RBI dictum which may add up to the cost of these foreign corporations.
The views expressed herein are solely and strictly of the author in his personal capacity. No views are directly or indirectly attributable to the law firm of K&S Partners, in any form whatsoever.