From UPSC perspective, the following things are important :
Prelims level : Not much.
Mains level : Paper 2- Data localisation and issues involved.
The contentious clauses on local data storage in the revised Personal Data Protection Bill need re-examination.
What Personal Data Protection Bill contains?
- Greater control to an individual: The draft law is a comprehensive piece of legislation that seeks to give individuals greater control over how their personal data is collected, stored and used.
- The promise of improvement over the current privacy law: Once passed, the law promises a huge improvement on current Indian privacy law, which is both inadequate and improperly enforced.
- Criticism of the bill: The proposed bill has attracted criticism on various grounds such as-
- The exceptions created for the state.
- The limited checks imposed on state surveillance, and-
- Regarding various deficiencies in the structures and processes of the proposed Data Protection Authority.
The issue over the “data localisation”
- Data within the country: The phrase, which can refer to any restrictions on cross-border transfer of data, has largely come to refer to the need to physically locate data within the country.
- Provisions for the transfer of personal data outside India: The PDP Bill enables the transfer of personal data outside India, with the sub-category of sensitive personal data have to be mirrored in the country (e. a copy will have to be kept in the country).
- Ban on transfer of critical data outside the country: Data processing/collecting entities will, however, be barred from transferring critical personal data (a category that the government can notify at a subsequent stage) outside the country.
- Different from Justice Srikrishna committee report: These above provisions have been changed from the earlier version of the draft Bill, released by the Justice Srikrishna Committee in 2018.
- The 2018 draft imposed more stringent measures that required both personal and sensitive personal data to be mirrored in the country (subject to different conditions).
- Welcome move: The move to liberalise the provisions in the 2019 version of the Bill is undoubtedly welcome, particularly for businesses and users.
How removing the restriction matters?
- Reduction in cost to business: Liberalised requirements will limit costs to business and ensure users have greater flexibility in choosing where to store their data.
- More proportionate approach: The changes in the 2019 draft reflect a more proportionate approach to the issue as they implement a tiered system for cross-border data transfer, ostensibly based on the sensitivity/vulnerability of the data.
- Move-in accordance with the right to privacy: This seems in accord with the Supreme Court’s dicta in the 2017 Puttaswamy case.
- Conditions for interference in privacy: The Court had made it clear that interference in the fundamental right to privacy would only be permissible if inter alia deemed necessary and proportionate.
Test of proportionality in the bill
- On closer examination, it appears that even the revised law may not actually stand the test of proportionality.
- The three-argument for imposing norms: There are broadly three sets of arguments advanced in favour of imposing stringent data localisation norms:
- Sovereignty and government functions. Referring to the need to recognise Indian data as a resource to be used to further national interest (economically and strategically), and-
- To enable enforcement of Indian law and state functions.
- Accruing benefits to the local industry: The second claim is that economic benefits will accrue to local industry in terms of creating local infrastructure, employment and contributions to the AI ecosystem.
- Protection of civil liberties: Regarding the protection of civil liberties, the argument is that local hosting of data will enhance its privacy and security by ensuring Indian law applies to the data and users can access local remedies.
- Contradiction in the claim of protection? If data protection was required for the above purposes, it would make sense to ensure that local copies were retained of all the categories of personal data provided for in the Bill (as was the case with the previous draft of the law).
- Sectoral obligations: In the alternative, sectoral obligations would also suffice as is currently the case with sectors such as digital payments data, certain types of telecom data, government data, etc.
- Will data localisation lead to privacy protection? We note that the security of data is determined more by the technical measures, skills, cybersecurity protocols, etc. put in place rather than its mere location.
- Localisation may make it easier for domestic surveillance over citizens.
- Enabler of better exercise of privacy by citizens: It may also enable the better exercise of privacy rights by Indian citizens against any form of unauthorised access to data, including by foreign intelligence.
- Effectiveness matters: The degree of protection afforded to data will depend on the effectiveness of the applicable data protection regime.
- Protecting privacy through less intrusive measures: Insofar as privacy is concerned, this could be equally protected through less intrusive, suitable and equally effective measures such as requirements for contractual conditions and using adequacy tests for the jurisdiction of the transfer.
- Such conditions are already provided for in the PDP Bill as a set of secondary conditions.
- The European Union’s General Data Protection Regulation too uses a similar framework.
- Extra-territorial operation: The extraterritorial application of the PDP Bill also ensures that the data protection obligations under the law continue to exist even if the data is transferred outside the country.
- Giving an individual a choice: If privacy protection is the real consideration, individuals ought to be able to choose to store their data in any location which afford them the strongest privacy protections.
- It is arguable that data of Indians will continue to be more secure if stored and processed in the European Union or California.
- These two jurisdictions have strong data protection laws and advanced technical ecosystems.
- Identification of the issues: The joint parliamentary committee ought to, ideally, identify the need, purpose and practicality of putting in place even the (relatively liberal) measures contained in the PDP Bill.
- Broader thinking at policy level: Further, in order for localisation-related norms to bear fruit, either in terms of protecting citizen rights, enabling law enforcement access to data or enabling the development of the local economy, there has to be broader thinking at the policy level.
- This may include for instance-
- Reforming surveillance-related laws.
- Entering into more detailed and up-to-date mutual legal assistance treaties.
- Enabling the development of sufficient digital infrastructure, and
- Creating appropriate data-sharing policies that preserve privacy and other third party rights, while enabling data to be used for socially useful purposes.