India Data Protection Law Draft: What to ExpectCommittee Expected to Propose Strict Data Sovereignty Rules
As a committee headed by retired Supreme Court Justice B.N. Srikrishna prepares to release a draft of a data protection law for India, some security experts working closely with the panel say data sovereignty will be a priority issue (see: Concerns Raised About Potential EU Legislation)
"A majority of the 10-member panel feels that it will be in the best interest of the country to ask all companies, including those headquartered outside of India, to store [Indian residents'] data locally," says a data privacy expert, who asked no to be named. "Having said that, the rule is likely to apply to only personally identifiable information."
The Ministry of Electronics and Information Technology, or MeitY, decided in August 2017 to form the committee to draft a framework for securing personal data in the increasingly digitized economy. The committee is working to help create a comprehensive data protection and privacy framework that meets the expectations of global stakeholders.
But a law requiring domestic online storage of Indian residents' data would "be impractical even if it is only about storing sensitive information locally," says a law enforcement official, who asked not to be named. "The interlinkages between data are huge, and I am not sure how by storing PII locally will they be able to protect data."
Other security experts, however, laud the move, saying that because some other countries are taking similar initiatives, India must not lag behind.
The Reserve Bank of India already has asked payment firms, including those offering wallets and fintech companies, to domestically store data of Indians.
"In the finance sector, a majority of banks and payment firms are headquartered in India. So implementation of a data sovereignty rule doesn't impact companies as much as if it gets implemented across industries," says Shivangi Nadkarni, CEO at the Arrka Consulting, which focuses on data privacy. "We will have to wait for the committee to come out with its draft to see what sort of information they are expecting to be stored locally."
An IT integration manager of an ecommerce firm based out of Bangalore, who asked not to be named, contends that a new law mandating domestic storage of Indian's PII would be impractical.
"What is the point of coming out with such laws when there is nobody who is going to comply with it?" he asks. "The bottom line is all such rules look good on paper. I doubt we have the wherewithal to have such a mechanism in place."
But Vicky Shah, advocate, cyber law, predicts various business sectors would support the new law because of its potential benefits.
"I don't think there will be a major pushback from the industry, but there would be contractual agreements and model contracts which are already in place," he says. "If the proposed law is at par with international requirements, it will give confidence to clients overseas. We need a proper implementation and enforcement of law rather than it being of advisory nature or like a best practices document."
Na. Vijayashankar, a cyber law expert, offers a similar point of view. "Perhaps initially some pushback may happen because people may not understand how to interpret and implement the regulation. But since this applies to data originating from India, I don't see why there should be any setback."
What Should Law Cover?
A new data protection and privacy law should cover all entities - including the government - that deal with personal information of anyone residing in India, Nadkarni suggests. "It shouldn't be restricted to only 'body corporates' - as the current IT Act does," she says.
Legal experts say the law must clearly describe what personal information comprises.
"If the data localization clause specifically mentions 'all data,' then it will include log records and similar data that is required for national security purpose," Vijayashankar says. "If the legislators are not careful in drafting the law, there may be doubts and [the law will be] open to interpretation.
Nadkarni offers suggestions on what a new privacy law should include:
- Definition of PII: Data privacy hinges on how personally identifiable information is defined and interpreted so that it's not left open to ambiguity and interpretation.
- Clarity in roles: It's important that the law places responsibilities on both data controllers and data processors.
- Privacy principles and rights: These should align with requirements elsewhere around the world, including the EU's General Data Protection Regulation, taking into account what's appropriate for India.
- Dealing with violations: The law should create appropriate and accessible mechanisms for addressing violations and grievances.
- Limits on government: The law should clearly outline the boundaries for government intervention, with appropriate checks and balances, so authorities cannot misuse their power.