The past as a compass for the future

Data localization largely refers to the need to confine physical data storage and processing within a jurisdiction’s borders within the country. DPB notes that the imposition of data localization norms can be attributed to mitigation of certain risks in cross-border flow of data and address strategic objectives that include national security and law enforcement, privacy, employment generation, bargaining power with other countries for encouraging data-based innovation for providing digital services and impetus to the digital economy. In effect, mandates on data localization are also regulations on cross border transfer of data.

While the DPB has different standards for sensitive personal data and critical personal data, businesses are finding it difficult to navigate what that means for them in terms of operations and compliance. Many have also expressed concerns about the clubbing of personal data and non-personal data together in the DPB.

As the product managers of a company that builds open source software products and services said: “I think one of the challenges as a company will be how are we going to categorise this data into different parts: personal data or non personal, sensitive or critical data. So these kinds of categorization at a company level is going to get very difficult, and it’s going to be operationally heavy for us in the cloud services part that when we are going to host, and these categories have to be maintained, and this will be also included in our privacy by design policy.”

As stated in Clause 33 of DPB, sensitive personal data can be transferred and processed outside India with explicit consent of the data principals, but a copy of this will continue to be stored in India. This is a case of mirroring or soft localization.

For critical personal data, however, DPB mandates hard localization. Critical personal data can be stored and processed only in India. Clause 34 even explains that such data may be exempt from the data localization mandate under two situations: one, when such transfer of critical personal data is necessary for prompt actions like health services or emergencies; two, when the Central Government agrees that the transfer shall have no bearing on the security and strategic interests of the State.

Respondents remain unsure of what gets classified as sensitive personal data and critical personal data. In fact, the draft notes that sensitive personal data data includes data on official identifiers, biometrics, genetics, health, finances, sex life, gender and sexual orientation, caste and tribe status, and religious and political beliefs or affiliations. Critical personal data, on the other hand, seems more broad and undefined. It is meant to refer to such personal data “as may be notified by the Central Government to be the critical personal data” Respondents said these are crucial challenges especially for data heavy businesses.

“And especially for critical data, and how critical data should be defined. Because here it is very vague that the critical data will be actually defined by the government itself. But how is it going to get defined? It is not mentioned. And it is a very vague answer. So how a company can do compliance with this, I’m not very sure. And a company like ours needs answers to that,” said product managers of a company that builds open source software products and services.

Cross-border data transfer is allowed only after explicit consent of the data principal and then these transfers are to be made pursuant to a contract or intra-group scheme approved by the Authority in consultation with the Centre. The data fiduciary is to be responsible for adhering to foreign government legal and enforcement practices.

The fact that the DPB prescribes more approval mechanisms and audit systems has businesses worried. “We have to be very careful of what’s actually going outside of India from a jurisdiction point of view. And this is where, being aware of whether this is wrong or not, is itself a pain. So, there will be a financial burden in terms of getting that audit done,” said the co-founder of a FinTech business.

Restrictions on cross border data flows have meant uncertainties about their chances to scale globally. Respondents from one business said that these provisions may negate their chances of expanding in the EU region as planned. They said that they already adhere to “a very advanced data protection regulation which is already in place over there (the GDPR)” but “since our local data laws are also going to get very heavy in terms of compliance, it is going to impact us tremendously.” ¹

The founder of a business that works on MLOps said the complexities will definitely increase for their business because they are currently operating in multiple countries. “We have a payment customer who’s in 60 countries…Now, they have full copies of their stack at all of these places, the databases are also locally. The problem that comes for companies like us who have to drive machine learning and so on is now we have 10 different data sources to connect to... what could have been one, now it has become 10.”

For businesses like theirs that have bases in multiple countries, the other problem is that the localization requirements of each country is different and as a result - the nature of the data that they store and the degree to which they store - all that keeps varying. So, the compliance burdens increase almost exponentially for them and drastically reduce the possibilities for global scaling.

The only businesses that seemed to not be worried about the implications of mandates on data localisations and cross border data flows as provided by the DBP were the ones who have built their system entirely on free and open source systems and were based only in India with no plans of expanding to other countries. And, that remains a very miniscule minority.

A founder of one such FinTech business said they did not depend on any external services either, and that has helped them remain unaffected by the aforesaid provision in the DPB.