Data localization: to transfer or not to transfer?

Data localization, as a concept at large, demands processing and/or storage of data within a particular country or a region. One form of data localization may expect a copy or mirror image of data to be maintained while another form may expect exclusivity i.e. original (master) data to be maintained within the geography. The data could be personal data, sensitive personal data, health data, payments data, telecommunication data etc. as prescribed by the regulator or government agencies. The motivation for authorities to enforce data localization may vary from the need of maintaining national security, mass-surveillance, civilian privacy or even for economic development.

In India, one of the government policies where cross-border data transfer restrictions have manifested is the draft Indian Personal Data Protection Bill of 2018 (PDP Bill).

PDP Bill on data localization

With regards to localization, the PDP bill permits cross-border transfers. But, it holds the fort down by putting a caveat of storing at least one serving copy of the transferred data in a server or a data center located in India. The PDP Bill, however, is silent on what exactly is a serving copy. The PDP Bill requires data fiduciaries (entities that are responsible for making decisions regarding processing of personal data) to store a copy of all personal data on a server or data center in India.

This means that data fiduciaries may transfer personal data across borders but subject to certain conditions such as the standard contractual clauses and/or intra-group schemes coupled with consent and/or explicit consent of the data principles (transfers within different entities of a parent company) approved by the Data Protection Authority of India, and with Central Government’s seal of approval after consulting with the data protection authority.

Data fiduciaries are also required to maintain a live mirror of that data in India, but this condition does not extend to critical personal data (Central Government is yet to define what constitutes as critical personal data) and the same can only be stored and processed only in India.

Compliance cost and security considerations

Localization of personal data may hamper the mid-and-entry level businesses due to the additional costs involved in the establishment of servers and data centers to store data. Therefore, while the establishment of servers and data centers may appear to be a step forward, it also implies additional costs incurred by industries after, especially, factoring in the SMEs and startups, over and above the reduction in foreign investments due to increased costs of compliance and infrastructure.

On the other hand, localization will ensure that personal data that is maintained in India will always enjoy the protection extended by the PDP Bill. The requirement of retaining at least one copy of the data transferred abroad on a local server would also provide greater access in light of contingencies such as law enforcement, prevention of foreign surveillance, and national security – further mitigating the tedious cooperation arrangements between different jurisdictions. Localization could be beneficial in protecting sensitive data such as medical records and the same should be regulated for all practical and legal purposes. Moreover, data localization may help in generating more jobs, thereby, adding to the economic growth.

Finally, what remains to be seen is how the finalization of the Bill into an Act will bring clarity on the approach that needs to be adopted while analyzing, interpreting and implementing the cross-border transfer of data and localization requirements in a manner that helps to maintain a fine balance between individual’s privacy and the national interest.