The much-awaited report by the Justice BN Srikrishna-led committee for a data protection framework for India is expected by the end of the month. But reportedly it won't hold good news for the likes of Google, Facebook and other tech giants because the panel is leaning towards data localisation.
Citing sources privy to the discussions, The Economic Times said that a majority of the 10-member panel feel that it will be in India's best interests to ask multinationals to ensure that key data of residents remain within the country, given the current sensitivity around data globally. It added that the committee will hold its final meeting on Monday to discuss these issues.
The government had constituted the committee last August to recommend a framework for securing personal data in the increasingly digitised economy as also address privacy concerns and build safeguards against data breaches. Its formation came amid concerns over personal information being compromised with increasing use of biometric identifier Aadhaar in an array of services.
"Broadly, data has to be in the country. There are some areas where exemptions could be there but even from the country's sovereignty point of view, vital data has to be stored locally," a source told the daily, adding that "While sensitive personal data is already defined under many Acts, the committee will do the remaining job."
According to another source, the government is mulling mandating data localisation since it is increasingly realising that the citizen data of 1.3 billion Indians is quite valuable. Besides, the recent Facebook-Cambridge Analytica controversy has red-flagged the potential for misuse of user data. "Some of the global Internet giants are really worried right now. If the government asks that personal emails of citizens etc. have to be stored in India, it will cause a lot of disruption," the source added.
The Reserve Bank of India has, in fact, already taken a strong stance on the data localisation front. In April, the apex bank had released a 'Statement on Developmental and Regulatory Policies', which announced that "all payment system operators will ensure that data related to payment systems operated by them are stored only inside the country within a period of 6 months". The idea, it said, was "to have unfettered access to all payment data for supervisory purposes".
According to the daily, the regulator has now asked companies for a fortnightly update on their compliance even as this move has divided the industry with local companies supporting it and foreign ones lobbying for its withdrawal. "What the (Srikrishna) committee will do will be at least less in impact than RBI's mandate because there is a lot of junk or non-critical data of users which is not required to be stored locally," a committee member pointed out.
Of course, not everybody on the panel is in favour of data localisation. A few members of the panel are reportedly advocating free flow of data to retain the competitive advantage of India's $135-billion software exports industry. The report added that this group has argued that data localisation will also have a long-term impact on innovation and economic growth.
In the whitepaper on Data Protection Framework for India put out by the committee last year, for which public comments had been sought, there was an entire chapter devoted to data localisation. "A nation has the prerogative to take measures to protect its interests and its sovereignty, but it must carefully evaluate the advantages and dangers of locally storing data before taking a firm decision on an issue has the potential to cause a major ripple effect across a number of industries," read the whitepaper.
Among the advantages of a data localisation law the whitepaper listed preventing foreign surveillance and helping ensure the protection of the rights of data subjects in some circumstances. "If data is locally stored in India, enforcement agencies will have access to a larger pool of data. This data could aid counter-terrorism efforts and may help protect national security," it added.
At the same time, the whitepaper also pointed out that "Economy-wide data localisation requirements have led to a negative impact on GDP in several countries where such requirements have been considered (Brazil -0.8%, India -0.8% and Republic of Korea -1.1%) or implemented (Indonesia -0.7%)". It also stated that such a move would raise costs for local businesses, hamper local start-ups, and hinder access to the use of the latest technological advances. Furthermore, it claimed that "the harms of data localisation are widespread, felt by small, medium, and large businesses that are denied access to global services that might improve productivity".
The whitepaper went on to list several sectors and businesses that would be negatively impacted by data localisation like the Information Technology-Business Process Outsource (IT BPO) sector, the service sector and global in-house centers (GICs), the offshore centers that perform designated functions for large organizations. "They have played a pivotal role in ushering in an age of data analytics and digital transformation. India currently has GICs operating across numerous sectors, including IT and Information Technology Enabled Services (ITeS), engineering and software development, banking, financial services and insurance, telecom etc., with growing concentration in the aerospace, healthcare, pharma, and biotech industries," said the whitepaper, adding, "Data localisation and restriction of cross-border data flows could have a severe impact on the growth of the GICs in India".
Given the above nuances, the whitepaper had summed up the chapter saying "while data localisation may be considered in certain sensitive sectors, it may not be advisable to prescribe it across the board". All the stakeholders will now be waiting with bated breath to see what the Srikrishna committee finally recommends.
with PTI inputs
Copyright©2022 Living Media India Limited. For reprint rights: Syndications Today