Data localization is a pernicious trend in national data protection laws . Unlike the laws of the EU, for example, where only “appropriate safeguards” (or an adequacy decision) are required under the GDPR for personal data to be transferred across national borders, data localization laws require that certain data be retained within national boundaries.
Notably, Russian law requires data operators to collect, store and process the personal data of Russian citizens using databases located within Russia, and Chinese law requires any organization that meets the definition of a “critical information infrastructure operator” (relating to infrastructure that might seriously endanger China national or public interests if damaged) to store within China any personal information that is domestically collected or generated.
India’s Personal Data Protection (PDP) Bill, which was withdrawn last August after five years in the making, would have put India squarely in the data localization camp. Under the PDP, “critical personal data” could only be stored and processed in India, whereas “sensitive personal data” must be stored in India but could be processed overseas if certain conditions were met. While the definition of “sensitive personal data” closely tracked the GDPR definition of “special categories” of personal data, “critical personal data” would be determined by notification of the Indian government.
So it was a relief to Big Tech, which relies heavily on India-based IT support services, when the PDP was replaced last November with the Digital Personal Data Protection (DPDP) Bill. The restricted categories of “critical personal data” and “sensitive personal data” are nowhere to be found in the DPDP.
But has India truly abandoned the data localization concept? The DPDP’s only reference to cross-border transfers is in Section 17, which reads in its entirety as follows:
The Central Government may, after an assessment of such factors as it may consider necessary, notify such countries or territories outside India to which a Data Fiduciary may transfer personal data, in accordance with such terms and conditions as may be specified.
Not terribly comforting language to anyone who supports the free flow of data internationally, since Section 17 appears to make data localization the default. The language above leaves unanswered the critical questions:
- How – and when – will India provide a list of countries that may receive personal data from India?
- What criteria will be used in making that determination?
- For countries that are not on the privileged list, must all transfers of personal data from India cease? Or can transfers continue subject to certain safeguards?
Contrast the GDPR regime, where even countries such as the United States, which hasn’t been deemed to provide adequate protection for EU personal data, can nevertheless receive such data if “appropriate safeguards” (e.g., standard contractual clauses) are put in place.
A larger question is: what do countries have to gain from data localization? India has long championed “digital sovereignty,” a high-sounding concept that India insists will help achieve the following national objectives:
- Obtaining ready access to personal data for law enforcement purposes.
- Preventing foreign surveillance.
- Monitoring and enforcing data protection laws.
- Spurring economic growth and innovation.
Whether data localization would actually achieve those objectives has been questioned. But even if data localization offers some national advantages, those advantages come at the price of hampering growth of the global economy as a whole, which runs on data. Restrictions on data flows create friction, and friction creates costs. It remains to be seen which path India takes under the vague language of its proposed data protection bill.