Abstract
This paper examines the debates around data localization in India, using the term to mean any kind of mandatory requirements of local storage or processing of data within the country. We focus on the policy motivations and challenges of data localization, mapping these arguments into three broad categories of the civil liberties perspective, the government functions perspective, and the economic perspective. This is followed by an examination of the robustness of the policy processes through which such norms are being introduced in India. We focus on three policy initiatives—the Personal Data Protection Bill, the Reserve Bank of India’s payments directive, and the localization conditions in telecommunication licenses. We find each of these processes to be lacking in terms of robustness, transparency, and deliberative policy making with the data protection discussions faring better than the other two initiatives.
Similar content being viewed by others
Notes
A study on data localization measures adopted by members of the European Commission also found that certain kinds of data, namely tax and accounting data, defence and security data, financial data and data held in public registries, was more commonly being subjected to localization requirements. The extent of restrictions also varied among the Member States, with most of them having only one (8 countries) or two (7 countries) types of restrictions [15].
The IT Act permits permits cross-border data transfers of sensitive personal data, in certain limited contexts such as where a similar level of privacy protection is provided in the foreign jurisdiction. Further, the transfer is allowed only if necessary for the performance of a lawful contract or subject to consent. The enforcement of these requirements is however questionable.
Exceptions are provided for situations where such information may need to be transferred for international roaming or billing purposes [65].
Rule 3(5), Chapter IX, Companies (Accounts) Rules, 2014.
The Public Records Act, 1993, prohibits the transfer of public records out of India, without the prior approval of the Central Government unless the transfer is being made for an official purpose. The governments “Meghraj” initiative to promote the use of cloud services by the government also contains a requirement for the localization of government data. The National Data Sharing and Access Policy (NDSAP) of 2012, includes localization requirements for data generated out of public funding.
Of the fourteen jurisdictions whose data localization norms were studied by Chander and Le [10] only two countries—Nigeria and France—explicitly recognised ‘economic development’ as a rationale for their localization decisions.
The policy therefore sees restrictions on cross-border data transfers as essential in developing the local data economy and boosting local employment opportunities.
Refer for example to the Justice Srikrishna Committee’s analysis of the matter [61].
This also ties in with economic arguments, that see Indian data as being used to enable progress of the Indian economy by permitting Indian corporations to gain from the data generated within India [3].
Note that the recently announced Intermediaries Guidelines Rules, 2021 also contain an obligation for certain types of intermediaries to appoint local personnel as grievance and contact officials.
Notably, a Gartner study in 2015 found that India held just about 1.2 percent of the world’s data center infrastructure and 5.23 percent in the Asia-Pacific region [27].
For instance, a USD 1 billion data center built by Apple in North Carolina, United States in 2011, created only 50 full-time jobs and another 250 support jobs in areas such as security and maintenance [12].
May of the recent policy instruments containing localization measures specifically refer to goals such as “nurturing digital innovation” and “stimulating domestic digital economy” [14]; the Srikrishna Committee’s report refers both to the possible impact of localization on the growth of domestic industry, particularly in the AI ecosystem [61]; the 2019 draft National e-Commerce Policy bluntly states ‘Indian citizens and companies should get the economic benefits from monetisation of data.’ [13].
Further, two of these localization mandates are already in place while the personal data one is still being debated.
The draft bill identifies three categories of data—personal data, sensitive personal data and critical personal data. It is understood that critical data would be a sub-category of ‘sensitive personal data’, which the draft bill defines to includes passwords, financial data, health data, sexual orientation, biometric data, caste or tribe, and religious or political affiliation.
The dissent notes, which are annexed with the Committee’s report, were submitted by Rama Vedashree and Rishikesha T. Krishnan [61].
See Sections 33 and 34, PDP Bill, 2019.
This is also subject to certain exceptions like medical or other emergencies or where approved by the government based on national strategic and security interests.
This includes basic customer data, like name, mobile number, Aadhaar Number, PAN number, payment sensitive data, like customer and beneficiary account details, payment credentials, like OTP, PIN, Passwords, and transaction data, like transaction reference, timestamp, and amount [51].
Clause 39.23(viii), Unified License Agreement. Similar provisions also existed for other categories of telecom licenses, as seen in Clause 41.20 (viii) of the Unified Access Service License.
Clause 39.23 (viii), Unified License Agreement.
The law specifically enables the RBI to call for periodic information from payment system providers and gain access to their information—Sections 12 and 13, Payment and Settlement Systems Act, 2007.
The meetings were held in the cities of Delhi, Hyderabad, Bengaluru and Mumbai in January, 2018.
The study pertains to actions taken by the regulator during the period between January, 2014 to April 2016.
But it is also one which has seen significant litigation on issues of regulatory governance, with courts often finding deficiencies in the regulatory processes. For instance, see Cellular Operators Association of India v. Telecom Regulatory Authority of India [9].
References
Bailey R, Bhandari V, Parsheera S, Rahman F (2018) Use of personal data by intelligence and law enforcement agencies’. National Institute of Public Finance and Policy. http://macrofinance.nipfp.org.in/PDF/BBPR2018-Use-of-personal-data.pdf
Barik S (2019) Data localisation won’t be part of final e-commerce policy, says piyush goyal: report. Medianama. https://www.medianama.com/2019/06/223-data-localisation-to-be-left-out-of-nal-e-commerce-policy-says-piyush-goyal-report/
Basu A, Hickok E, Chawla AS (2019) The localisation gambit: unpacking policy measures for sovereign control of data in india. Centre for Internet and Society, India. https://cis-india.org/internet-governance/resources/the-localisation-gambit.pdf
Bauer M, Ferracane MF, van der Marel E (2016) Tracing the economic impact of regulations on the free ow of data and data localization. Centre for International Governance Innovation and Chatham House. https://www.cigionline.org/sites/default/files/gcig_no30web_2.pdf
Bauer M, Lee-Makiyama H, der Marel E. V, Verschelde B. (2014). The costs of data localisation: friendly fire on economic recovery. European Centre for International Political Economy. http://www.ecipe.org/app/uploads/2014/12/OCC320141.pdf
Bohn D (2012) Rim sets up blackberry server in mumbai, continues to offer ‘lawful access’ to indian government. The Verge. https://www.theverge.com/2012/2/22/2818195/rim-sets-up-blackberry-server-in-mumbai-continues-to-offer-lawful
Burman A, Sharma U (2021) How would data localisation benefit india? https://carnegieindia.org/2021/04/14/how-would-data-localization-benefit-india-pub-84291
Burman A, Zaveri B (2019) Measuring regulatory responsiveness in India: a framework for empirical assessment. William Mary Policy Rev 9(2). https://static1.squarespace.com/static/59c0077a9f745650903ac158/t/5cb62147104c7ba2eaf637e4/1555439944606/Burman+V2.pdf
Cellular Operators Association of India v. Telecom Regulatory Authority of India (2016) Supreme court of India, civil appeal no. 5017 of 2016. https://indiankanoon.org/doc/116404795/
Chander A, Le UP (2015) Data nationalism. Emory Law J 64(3). https://ssrn.com/abstract=2577947
Cohen B, Hall B, Wood C (2017) Data localisation laws and their impact on privacy, data security and the global economy. Antitrust 32(1, Fall). https://www.americanbar.org/content/dam/aba/publications/antitrust_magazine/anti_fall2017_cohen.authcheckdam.pdf
Cory N (2017) Cross border data ows: where are the barriers and what do they cost? Information Technology and Innovation Foundation. https://itif.org/publications/2017/05/01/cross-border-data-ows-where-are-barriers-and-what-do-they-cost
Department of Industrial Policy and Promotion, Government of India (2019) Draft national ecommerce policy: India’s data for india’s development. https://dipp.gov.in/sites/default/les/DraftNational_ecommerce_Policy_23February2019.pdf
e-Commerce Task Force (2018) Electronic commerce in India: draft national policy framework (non-offcial version). Medianama. https://www.medianama.com/wp-content/uploads/Draft-National-E-commerce-Policy.pdf
EC Staff Document (2017) Commission staff working document on the free flow of data and emerging issues of the european data economy. European Commission. https://ec.europa.eu/digital-single-market/en/news/staff-working-document-free-ow-data-and-emerging-issues-european-data-economy
ET Bureau (2019) India decides to opt out of rcep, says key concerns not addressed. Economic Times. https://economictimes.indiatimes.com/news/economy/foreign-trade/india-decides-to-opt-out-of-rcep-says-key-concerns-not-addressed/articleshow/71896848.cms
Ferracane M, Kenz J, van der Marel E (2018) Do data policy restrictions impact the productivity performance of firms and industries? ECIPE, DTE WORKING PAPER 01. https://ecipe.org/wp-content/uploads/2018/10/Do-Data-Policy-Restrictions-Impact-the-Productivity-Performance-of-Firms-and-Industries-final.pdf
Ferracane M, van der Marel E (2018) Do data policy restrictions inhibit trade in services? ECIPE. https://ecipe.org/publications/do-data-policy-restrictions-inhibit-trade-in-services/
FSLRC (2013) Report of the financial sector legislative reforms commission. Ministry of Finance, Government of India
Gallagher R, Greenwald G (2014) How the nsa plans to infect ’millions’ of computers with malware. The Intercept. https://theintercept.com/2014/03/12/nsa-plans-infect-millions-computers-malware/
Gopalakrishnan Committee (2020a) Report by the committee of experts on non-personal data governance framework. Ministry of Electronics and Information Technology, Government of India (revised). https://ourgovdotin.files.wordpress.com/2020/12/revised-report-kris-gopalakrishnan-committee-report-on-non-personal-data-governance-framework.pdf
Gopalakrishnan Committee (2020b) Report by the committee of experts on non-personal data governance framework. Ministry of Electronics and Information Technology, Government of India. https://ourgovdotin.files.wordpress.com/2020/07/kris-gopalakrishnan-committee-report-on-non-personal-data-governance-framework.pdf
Greenwald G (2014) How the nsa tampers with us-made internet routers. The Guardian. https://www.theguardian.com/books/2014/may/12/glenn-greenwald-nsa-tampers-us-internet-routers-snowden
Gurumurthy A, Chami AVN (2017) The grand myth of cross-border data ows in trade deals. IT for Change. http://itforchange.net/grand-myth-of-cross-border-data-ows-trade-deals#footnote347w9cffs
Hetavkar N (2018) Rbi firm on data localisation; 80% of firms to comply by oct 15 deadline. Business Standard. https://www.business-standard.com/article/economy-policy/rbi-firm-on-data-localisation-80-of-firms-to-comply-by-oct-15-deadline-118101101302_1.html
Hill R (2017) Second contribution to the June-September 2017 open consultation of the itu cwg-internet, why should data ow freely? Association for Proper Internet Governance. https://bit.ly/2QBOydj
IAMAI (2016) Make in India: Conducive policy and regulatory environment to incentivise data center infrastructure. Internet and Mobile Association of India
IBEF (2018) It & ites industry in India. India Brand Equity Foundation. https://www.ibef.org/industry/information-technology-india.aspx
INC42 Staff (2021) RBI Bars mastercard from acquiring new customers for violating data localisation policy. Inc42.com. https://inc42.com/buzz/rbi-bars-mastercard-from-acquiring-new-customers-for-violating-data-policy/
Kathuria R, Kedia M, Varma G, Bagchi K (2019) Economic implications of cross-border data ows. ICRIER and IAMAI. https://icrier.org/pdf/Economic_Implications_of_Cross-Border_Data_Flows.pdf
Khamooshi A (2016) Breaking down apple’s iphone fight with the us government. The New York Times. https://www.nytimes.com/interactive/2016/03/03/technology/apple-iphone-fbi-fight-explained.html
Kovacs A, Ranganathan N (2018) Data sovereignty, of whom? Limits and suitability of sovereignty frameworks for data in India. Data Governance Network WP 03. https://internetdemocracy.in/wp-content/uploads/2020/03/Data-sovereignty-of-whom-Limits-and-suitability-of-sovereignty-frameworks-for-data-in-India.pdf
Kuner C (2015) Data nationalism and its discontents. 64 Emory Law Journal Online 2089. http://law.emory.edu/elj/elj-online/volume-64/responses/data-nationalism-its-discontents.html
Law Ministry (2014) Pre-legislative consultation policy. https://legislative.gov.in/documents/pre-legislative-consultation-policy
Leviathan (2015) Quantifying the cost of forced localization. Leviathan Security Group. https://tinyurl.com/y89q99yt
Macleod J (2015) E-commerce and the wto: a developmental agenda. GEG Africa
Mandavia M (2020) Activists demand jpc consult civil society on data protection bill. https://economictimes.indiatimes.com/news/politics-and-nation/activists-demand-jpc-consult-civil-society-on-data-protection-bill/articleshow/79449870.cms?from=mdr
Manikandan A (2021) Payment companies face tighter rbi norms. Economic Times. https://economictimes.indiatimes.com/tech/technology/payment-companies-face-tighter-rbi-norms/articleshow/81765812.cms?from=mdr
MeITY (2018) Software and services sector. Ministry of Electronics & Information Technology. http://meity.gov.in/content/software-and-services-sector
MeitY (2019) Clarification regarding a story published in the economic times on data protection bill. https://bit.ly/3CNZQ6m
Ministry of Foreign Affairs, Government of Japan (2019) Osaka declaration on digital economy. Government of Japan. https://www.mofa.go.jp/mofaj/gaiko/g20/osaka19/pdf/special_event/en/special_event 01.pdf
Panday J (2016) The internet has a new standard for censorship. The Wire.in. https://thewire.in/politics/the-internet-has-a-new-standard-for-censorship
Parsheera S (2020) Regulatory governance under the pdp bill: a powerful ship with an unchecked captain? https://www.medianama.com/2020/01/223-pdp-bill-2019-data-protection-authority/
Parsheera S, Jha P (2020) Cross-border data access for law enforcement: what are India’s strategic options? https://carnegieindia.org/2020/11/23/cross-border-data-access-for-law-enforcement-what-are-india-s-strategic-options-pub-83197
Press Trust of India (2014) Vodafone secretly sharing data with british intelligence: home ministry. The Hindu. https://timesofindia.indiatimes.com/india/Vodafone-secretly-sharing-data-with-British-intelligence-Home-ministry/articleshow/31797862.cms/
Puttaswamy v. Union of India (2017) 2017 (10) SCC 1, Supreme Court of India
Raghavan TS (2019) India rejects rcep e-commerce chapter. The Hindu. https://www.thehindu.com/business/india-rejects-rcep-e-commerce-chapter/article29659912.ece
RBI (2018a) Minutes of the meeting held with major non-compliant payments system operators. https://www.cashlessconsumer.in/uploads/DataLocalisation-RBI-MoM.pdf
RBI (2018b) Statement on developmental and regulatory policies. https://rbidocs.rbi.org.in/rdocs/PressRelease/PDFs/PR264270719E5CB28249D7BCE07C5B3196C904.PDF
RBI (2018c) Storage of payment system data. https://www.rbi.org.in/scripts/NoticationUser.aspx?Id=11244
RBI (2019) Faqs on storage of payment system data. https://m.rbi.org.in/scripts/FAQView.aspx?Id=130
Roy S (2019) G-20 osaka summit: India refuses to sign declaration on free ow of data across borders. Indian Express. https://indianexpress.com/article/india/g-20-osaka-summit-narendra-mod-india-declaration-on-free-ow-of-data-across-borders-shinzo-abe-5805846/
Roy S, Shah A, Srikrishna BN, Sundaresan S (2018) Building state capacity for regulation in India. https://macrofinance.nipfp.org.in/PDF/RSSSbuilding-state-capacity.pdf
Selby J (2017) Data localization laws: trade barriers or legitimate responses to cybersecurity risks, or both? Int J Law Inform Technol 25(3):213–232. https://academic.oup.com/ijlit/article-abstract/25/3/213/3960261
SFLC (2014) Deity provides lists of sites blocked in 2013, but withholds orders! s c.in. https://sc.in/deity-provides-list-sites-blocked-2013-withholds-orders
SFLC (2015) Deity says 2341 urls were blocked in 2014; refuses to reveal more. s c.in. https://sc.in/deity-says-2341-urls-were-blocked-2014-refuses-reveal-more
SFLC.in (2021) Internet shutdowns. internetshutdowns.in. https://internetshutdowns.in/
Shah A (2015) The economies of cloud computing: an Indian perspective. The Leap Blog. https://blog.theleapjournal.org/2015/03/the-economics-of-cloud-computing-indian.html
Shah A (2016) Occam’s razor of public policy. The Leap Blog. https://blog.theleapjournal.org/2016/01/occams-razor-of-public-policy.html
Srikrishna Committee (2017) White paper on data protection in India. https://www.meity.gov.in/writereaddata/files/white_paper_on_data_protection_in_india_18122017_final_v2.1.pdf
Srikrishna Committee (2018) A free and fair digital economy: protecting privacy, empowering indians. Report of the Committee of Experts under the Chairmanship of Justice B.N. Srikrishna. http://meity.gov.in/writereaddata/files/Data_Protection_Committee_Report.pdf
Surabhi (2021) Visa complies with rbi’s data localisation norms. Hindu Business Line. https://www.thehindubusinessline.com/money-and-banking/visa-complies-with-rbis-data-localisation-norms/article35527816.ece
The Economist (2017) The world’s most valuable resource is no longer oil, but data. https://www.economist.com/leaders/2017/05/06/the-worlds-most-valuable-resource-is-no-longer-oil-but-data
UK Better Regulation Task Force (2005) Regulation—less is more: reducing burdens, improving outcomes. https://www.regulation.org.uk/library/2005_less_is_more.pdf
Unified License (2014) License agreement for unified license. Department of Telecommunications. http://dot.gov.in/sites/default/files/Amended%5C%20UL%5C%20Agreement_0_1.pdf?download=1
Wikipedia (2016) Internet censorship in India. Wikipedia. https://tinyurl.com/y94t5lrs
Yadron D, Ackerman S, Thielman S (2016) Inside the fbi’s encryption battle with apple. The Guardian. https://www.theguardian.com/technology/2016/feb/17/inside-the-fbis-encryption-battle-with-apple
Acknowledgements
We would like to thank Ajay Shah, Amba Kak, Jyoti Panday, Mansi Kedia, Mudit Kapoor, and Richard Hill for comments on an earlier version of this paper, which was released as a NIPFP Working Paper titled ‘Data localisation in India: Questioning the means and ends’ in 2018. We are also grateful to an anonymous peer reviewer for comments on this version of the paper. All errors are our own.
Author information
Authors and Affiliations
Corresponding author
Ethics declarations
Conflicts of interest
The authors declare that they have no conflict of interest.
Rights and permissions
About this article
Cite this article
Bailey, R., Parsheera, S. Data localization in India: paradigms and processes. CSIT 9, 137–150 (2021). https://doi.org/10.1007/s40012-021-00337-4
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s40012-021-00337-4