by Agrim Jain
How many times have we in our lives have shared our personal details such as our age, mobile number, e-mail address, home address, date of birth and more similar details which enable people to personally identify us? This sharing of information by us on feedback forms provided to us by malls, restaurants among other places is what leads to infringement of our right to privacy and to the thought of future risks is frightening at least. It is noteworthy that despite of the fact that the initial bloom in India could be traced back to Companies Act, 2013, which required maintenance of copies of books of account in electronic form in computer systems located in India and also that the honorable Supreme Court of India has declared the Right to Privacy as a fundamental right for Indian citizens under Article 21, in its ruling on 24th August, 2017, in the case of K.S. Puttaswamy Vs Union of Indiaand others,there is still not a single effective legal framework to protect data of individuals’. The need to categorize right to privacy as a fundamental right a part from the fact of keeping up pace with technological innovations was also felt as the organisations had been enacting new modes of collecting, processing and dealing with our personal data as the rapid digitization of the economy has led the organizations and authorities to believe that the data plays a crucial role in the advancement of the economy. In India apart from the exception of Information Technology Act, 2000, which also only merely dealt with problems associated with Data Protection has proved to be in effective and as such there have been steps taken from 2018 onwards to deal with and rectify this problem. The first step in this regard was establishment of Justice BN Srikrishna Committee, which was established on 27th July, 2018, which in its report had suggested the “Personal Data Protection Bill, 2018”. This bill is considered as the stepping stone of the “Personal Data Protection Bill, 2019”, which was introduced in lower house of Indian Parliament on 11th December, 2019, for the purpose of purpose of bringing about legislative changes surrounding and safeguarding of data and personal information. Along with this another legislation by the name of “Digital Information Security”, was published in the Ministry of Healthcare Act was also brought forward by the Ministry of Health and Welfare. Furthermore, another was the mandate which was regarding Localized Data was published by the Reserve Bank of India. These all steps taken together can be termed as “Data Protection Framework”, these all depict the strong intention of the Government of India to protect National as well as Individual privacy along with providing security to the both ends as well.
The concept of Data Localization is considered as a relatively new concept in India. So, the basic question that arises is what do we mean by the term Data Localization?
It may be understood as a process through which citizens’ data is localized to one’s home country home country for its processing, storage and collection before it goes through the process of being transferred to the international level. It is done with the objective of subjecting it to one’s local data protection and privacy laws. It is based on the concept of sovereignty[i]. Thus in Indian context it may be referred to as act of companies collecting data about consumers with the intention to store and process the data within the boundaries of India. It is considered that the localization would make it easier for the country’s authority to have better domestic surveillance over its citizens apart from the fact that it would also make better exercise of privacy rights by the citizens against any form of unauthorized access to data even including foreign interference within its scope[ii]. But overall, the degree of protection accorded to data is dependent upon the applicable data protection regime.
In India prior to the announcement of Reserve Bank of India which mandated localization of the data, the data which was not stored within the country till the month of September as prior to the announcement, rather it was stored on a cloud database situated outside of India.
Purpose of Localization
While the Indian Government has moved towards the policy of LPG since the year 1991, it has been even taken forward by the Narendra Modi Government, by coupling the localization and promotion of the domestic market. It has been felt that apart from the two main colossal pillars in form of Start Up and Make in India, the topic of Data can be the third colossal pillar in India in the coming years. Apart from this there can be three main reasons for imposing stringent data localization norms. These can be stated as the following:
- Sovereignty and Governmental functions;
- The second argument in favor of localization is that it would result in accrual of economic benefits to the local industry, it can be noticed in terms of creation of local infrastructure, employment and also contributions to the Artificial Intelligence Ecosystems.
- Protection of Civil liberties, i.e. the local hosting of data would enhance privacy and security of Indian citizens by ensuring that the Indian laws applies to the data and through it the users can also access the local data[iii].
How is privacy of individual protected through data localization?
It was in the year 2018 that the National Institute of Public Finance and Policy in a working paper had brought forward the fallacies brought forward by the misleading assumption that the data localization will necessarily lead to better privacy protections. It was stated that the security of data is to be determined more by technical measures, skills, cybersecurity protocols and other established mechanisms put in place rather than through mere use of location of the data. In India the laws related to data protection come under three main categories:
- Information Technology Act, 2000 and rules framed thereunder;
- Indian Penal Code, 1860;
- Other Sectoral Regulations.
But for this paper, we are going to refer only to the Personal Data Protection Bill, 2018 and the Personal Data Protection Bill, 2019.
Personal Data Protection Bill, 2018
The enactment of the Personal Data Protection Bill, 2018 can be traced back mainly to the efforts of the Srikrishna Committee and then it is along with the Personal Data Protection Bill, 2018 and Personal Data Protection Bill, 2019 that India has joined a list of host countries that demand data localization. Data Localization implies that entities collecting or processing data should store such data or a copy of the same on local servers within the territorial jurisdiction of the country as well as permit the transfer of such data outside the country, subject to a reasonable level of protection being accorded to the same irrespective of where it is being transferred[iv]. The Srikrishna Committee also recommended that personal data determined to be critical will be subject to the requirement of being processed only in India and the Central Government was to determine categories of sensitive personal data which are to be considered critical.
Personal Data Protection Bill, 2019
This bill has received severe criticism from all spheres of the society probably because of the fact that its provisions have provided government access to the personal data of the individuals. This bill has also been referred to as dangerous and capable of turning the state into an Orwellian state as well. But, despite of the limitations and criticism, it cannot be discarded entirely as it is responsible for categorizing the personal data into two categories:
- Sensitive Personal Data;
- Critical Personal Data.
It is noteworthy that the sensitive personal data has been defined explicitly and clearly under the Act while on the other hand the Critical Personal Data has been defined as personal data as notified by the Central Government. It is also responsible for relaxing the data localization restrictions and also makes them applicable only upon the two types of personal data[v].
This bill has also mandated that though the sensitive personal data can be transferred outside India, but still it needs to be stored within India as well. The data can be transferred to outside India only upon the fulfilment of certain conditions, such as the:
- Obtaining explicit consent from the data principal;
- Pursuance to a contract or an intra- group scheme that safeguards the data principal rights;
- Ensuring liability on data processor if harm does occur.
Meanwhile on the other hand the exporting of critical personal data has been prohibited under the act specifically, though it may be permitted to a person or entity engaged in provision of health or emergency services in specified situations and also even to any country or entity or class of entity approved by the central government on fulfilment of certain conditions. It is possible only in the situation that the Central Government is of the opinion that it does not prejudicially affect the security and strategic interest of India.
An intermediary according to section 2(w) of the IT Act means as any person who on behalf of another person receives, stores or transmits that record or provides any service with respect to that record and includes telecom service providers, web housing service providers, search engines, online payment sites, online auction sites, online market places and cyber cafes[vi].
Liability of intermediary in case of data and privacy of data
Liability under Information Technology Act, 2000
Data as per definition provided by the Section 2(1)(o) of information Technology Act, 2000 refers to a representative form of knowledge, facts, information, instructions and so on, prepared or being prepared and processed in a computer system or similar network, which could be in any form or even stored in memory of the computer[vii].
It is Section 79 of IT Act which is considered as a safe harbor as it provides conditional immunity to intermediaries from the liability of the third party acts in terms of any third party information, data or communication link made available to or hosted by them. This has been made subservient to the provisions of section 79(2) and section 79(3) of the act. Section 79(2) of the act essentially covers the cases where the activity is undertaken by the intermediary is of a technical, automatic and passive nature. Further, section 79(3) of the act has envisaged a notice and take down regime, in the situations that the intermediary is required to take down unlawful content upon receiving actual knowledge of its existence.
Liability under Personal Data Protection Bill, 2019
The Bill through its sections 7 and 11 has casted a responsibility upon a data fiduciary (including a social media intermediary), to obtain consent for collection of data and also consent for processing of data respectively. It has also been mandated that while seeking consent, the intermediary needs to communicate the purpose for collection of data and also the parties with whom the data would be shared by them to the data principal.
Thus, thus law is responsible for ruling out the opaque unilateral sharing of personal data by the intermediary without the consent of the data principal and also data principal must be made aware about the sharing of any personal data with a third party through a notice under Section 7(1)(g) of the act.
Furthermore, the section 31 of 2019 Bill, the data fiduciary is required to enter into a contract with the data processor to engage it for processing personal data and then the data processor when receives such personal data under a contract from a data fiduciary may process such data only in accordance with the instructions of the data fiduciary and is further prohibited from sub- contracting with another data processor under Section 31(2), unless is permitted by the data principal expressly. The personal data shared must also be kept confidential by the data processor in whose possession is the data received.
Downside to Data Localization
The concern of privacy of individuals has gained prominence in India in aftermath of theK.S. Puttaswamy vs Union of Indiaand others[viii], judgment of the Supreme Court, especially in terms of the concept ofprotection of personal and private data of the individuals. Along with this to meet the requirements ofthe data localization bill, the organizations would have to spend massive amounts of money to set up the servers locally among the other infrastructure costs which need to be incurred by the organization as well. It is these huge costs which prove to be of huge burden upon theexisting organizations and prove of deterrence to the new coming organizations. Finally, one more defect of data localization is that as the importance of data is recognized by the governments, individuals and delinquents alike, the country runs the risk of being honeypot of personal data making it susceptible to data security threats and scandals and it is also responsible for removing the stipulation which required mandatory recording of personal data in the country.
The policy of the Indian government regarding the data localization has gained attention due to its controversial nature, possibly due to the fact that while the government has received strong support from domestic strong warts like the Reliance Group, the policy on the other hand has also received criticism from the companies such as Facebook, Amazon, Microsoft and MasterCard. The data localization has to be also to be read in association with the fundamental right to privacy as secured to citizens by the Puttaswamy judgment of the year 2017, as while sharing of the persona data there are some serious concerns raised relating to infringement of privacy of the individuals in society. It is in these respect that India needs a strong legislation to deal with this matter be it the Information Technology Act, 2000 or the Personal Data Protection Bill, 2019, which despite being 2 years in making is sparkling several charged debates across the country. The bill was sought to be reviewed by the Joint Parliamentary Committee in January 2020, after which it is going to be tabled before Lok Sabha, then Rajya Sabha and then will be sent to the President for assent. In India in terms of Data Localization, Privacy and Concerns and resultant liability of the intermediary would be dependent upon the result of how the act is framed finally after consultations.
[i]Data Protection or Data Localization in India- Privacy- Mondaq
[ii]How would Data Localization benefit India
[vi]Section 2(w) of IT Act,2000
[vii]Section 2(1)(o) of IT Act, 2000
[viii] (2017) 10 SCC 1
[ix] Picture Credit: Financial Express