Legal experts warn that stringent data localisation requirements will prove to be a big operational challenge for many companies
Companies transferring personal data of Indian users across international borders will soon have to navigate data localisation norms under the draft Rules of the Digital Personal Data Protection Act. These provisions that call for additional government restrictions on companies to transfer specific data will complicate business operations, policy experts and lawyers told businessline.
Originally, the Data Protection Act had only talked about blacklisting certain countries for data storage. The Rules now add that data fiduciaries, otherwise referred to as entities or companies, transferring data outside India will be subject to restrictions by a general or special government order. These requirements will apply to specific data, determined on the basis of the recommendations of a committee constituted by the Centre. As per the explanatory note for the Rules, such a norm ensures that personal data remains protected under the Act. However, Aparajita Bharti, Founding Partner of The Quantum Hub Consulting, said that the norm may disrupt business operations.
“This is sort of creating a backdoor for bringing in data localisation requirements for significant data fiduciaries [major companies] later. This can lead to disruption in business operations by constraining businesses from using tools that may not have servers in India. This can lead to inefficiencies, costs that ultimately transfer to the customers and quality of service may get impacted. The Act only blacklisted countries for data storage but this provision creates room for classes of datasets that cannot be stored anywhere abroad,” she said.
Similarly, Akshaya Suresh, Partner at JSA Advocates & Solicitors, said that the move will prove to be a challenging curveball for major companies in today’s interconnected world where multiple third parties are part of one application or cloud infrastructure.
“We know that in some sectors there is already data localisation, like for payment systems data. But now it would be extended to other kinds of [major entities] also. It makes it difficult first to plan, because once the rules get adopted, then the central government has to issue these notifications. So, you would already start preparing for compliance and you’re in a limbo because you don’t know what exactly are these restrictions going to be on data transfer,” she said.
Companies will also be asked to figure out where their vendors send the data as well and ensure that those mechanisms are also in compliance with the Rules. According to Suresh, this will be a difficult task for companies that are smaller, which do not have much bargaining power but may have a big cloud service provider.
On the other hand, Akshayy S Nanda, Partner at Saraf & Partners, who looks at Data Privacy and Competition said that the government took a very balanced approach for data localisation keeping data privacy in mind.
“Certain kinds of personal data may actually have a major risk as far as individuals are concerned. So you can have higher restrictions, you can have data localisation norms there. But generally for other personal data, they can be freely transferred because that would enable innovation and competition in the market,” said Nanda.
Despite viewing the norm as balanced, Nanda pointed out that data localisation can still increase costs for businesses. In case of foreign companies, he said that entities will have to increase their cost to set up their entire infrastructure needs in India. He added that this may hamper the consumer’s digital experience as well who will not get the benefit of the service.
Comments
aniltikotekar4sme.com 