We are at a point in time when privacy has become a standard to be complied with unanimously, considering that we find ourselves in a digital and cyber world. Hence, unauthorized access, data breaches or personal information theft are no longer wild conjectures, but prevalent realities that we must wrap our heads around to ensure the privacy of individuals' data, every bit and byte of it.

Keeping in mind the current but ever-evolving regulatory landscape, India too joined the bandwagon with its draft Personal Data Protection Bill 2018. While the bill successfully "Indianizes" numerous aspects of the EU General Data Protection Regulation, it leaves ample room for discussion by plugging in a data localization requirement.

Data localization, to put it simply, mandates that the personal data of individuals in a particular country should be processed and stored in that country itself. This might not be an entirely new requirement for some, considering that data transfer restrictions have manifested across various government policies over the last year. For instance: Reserve Bank of India formulated a directive on payment systems providers to store payment systems data only in India.

The PDP bill on the face of it appears to be a document construed to protect an individual’s personal data and regulate the collection, usage, transfer and disclosure of the said data. However, the standard data protection requirements are perhaps laced by a value system that supports "data nationalism," as it requires the personal data that is transferred outside India to be localized/stored in India.

Think global, store local

Although the PDP bill provides for the cross-border transfer of data, it throws in a caveat of storing at least one serving copy of the transferred data in a server or a data center located in India. Interestingly, the bill is silent on what exactly is a “serving copy” and jumps straight to the requirements to be met with in case of an international transfer of data. 

Data localization at its very core is an obligation on data fiduciaries (entities that are responsible for making decisions regarding processing of personal data) to store a copy of all personal data on a server or data center in India. Meaning that data fiduciaries may transfer personal data across Indian borders subject to the conditions such as incorporation of standard contractual clauses coupled with the consent of the data principals (natural persons) and a seal of approval by the data protection authority of India.

Therefore, there could be periodic scrutiny and certification involved in the process of cross-border data transfers by the relevant authorities and the data fiduciaries alike, resulting in either the creation of a quality-driven and -regulated transfer mechanism or a heavily restrictive transfer mechanism.

Conundrums

Localization of personal data could very well impact the small and medium enterprises due to the additional costs involved in the establishment of servers and data centers to store data. Moreover, current data storage climate revolves around the usage of cloud networks, which are cost-effective and rely on the global data flows wherein the customer has some say in relation to where their data is stored. Therefore, while the establishment of servers and data centers may appear to be a step forward, it also implies additional cost on the industry, especially factoring in the SMEs and startups, over and above the reduction in foreign investments due to increased costs of compliance and infrastructure. Additionally, data localization may impact privacy structures of an entity since multiple/mirror copies of data in different locations would make the security framework of an organization vulnerable.

On the flip side, personal data maintained in India will always enjoy the protection extended by the PDP bill. The requirement of retaining at least one copy of the data transferred abroad on a local server would also provide greater access in light of contingencies such as law enforcement, prevention of foreign surveillance, and national security, further mitigating the tedious negotiations around mutual legal cooperation arrangements between different countries. Additionally, localization could be beneficial in protecting sensitive data like medical records, and the same should fall ideally to be regulated for all practical and legal purposes.

Fundamental rights of individuals

The Supreme of Court of India in 2017 recognized privacy as a fundamental right. Hence, privacy as a fundamental right would empower an individual to make decisions regarding how their data is handled. However, the said right is not absolute, and the government may impose restrictions on handling an individual’s data, which includes cross-border transfers, as well. This subject is open to interpretation, as there is a possibility that an individual voices no objections to their data being transferred abroad, but the government has restrictions placed on said transfer. Therefore, it remains to be seen how the courts in India will interpret the localization requirement if and when it comes for consideration.

Data localization as a prospective requirement under the Indian data privacy landscape appears to be one where the free flow of data is the norm and to restrict is an exception. Therefore, Indian businesses that operate on providing goods and services on the basis of a data-sharing model with entities abroad would need to introspect financially and logistically into whether it would be beneficial to invest in storing their data locally, hence, leading to increased costs, or revisit their business models and restrict their data flow to Indian itself.

Currently, what remains to be seen is that how the finalization of the bill into an act will bring clarity on the approach that is to be adopted while analyzing, interpreting and implementing the cross-border transfer of data and localization requirements.