In a recent article in the
Washington Post, Mark Zuckerberg, founder and chief executive of Facebook, said there is a need for regulating the internet while preserving what is good about it. One of the areas he identifies that require new rules is on privacy and data portability. He makes a case for a globally harmonised framework by taking the EU General Data Protection Regulation 2016 (GDPR), considered one of the most stringent in the world, as the basis.
In India, there is indeed a need for a robust privacy law that puts the rights of the individual at the centre. The nine-judge bench of the Supreme Court of India (SCI) in Puttaswamy (Aadhar case; 2017) recognised the right to privacy as a fundamental right under Article 21 of the constitution. The Personal Data Protection Bill 2018 (the Bill) was drafted with twin objectives of creating a legal framework for data protection and an enabling environment for data driven innovation and entrepreneurship to flourish.
Section 40 of the bill, however, provides a data localisation mandate, which does not quite meet its privacy objective. Storing data in India may actually have negative implications making individuals vulnerable to Big Brother surveillance.
What The Bill Mandates
The bill requires personal data to be stored in a server located in India and notified critical personal data to be processed only in India. Section 41 (1) (a) of the bill permits cross-border personal data transfers (other than the notified sensitive personal data) subject to standard contractual clauses or intra-group schemes that have been approved by the Data Protection Authority or where the central government has permitted transfers to a country, sector or an international organisation. In addition, for the transfer of personal data/sensitive personal data, consent/explicit consent of the data subject is required. These requirements prohibit or severely restrict routine cross-border transfer of data that requires burdensome gatekeeping and approvals.
India already has data localisation requirement in respect of customer account information in the telecom sector. On April 6, 2018, the Reserve Bank of India issued the Storage of Payment System Data Notification requiring all system providers to store payments data in India to ensure better monitoring and supervision.
The deadline for compliance expired on October 15, 2018, and in a case pending before the Supreme Court, allegations have been made that some platforms like WhatsApp have not complied. Further, the Draft National e-commerce Policy published on February 23, 2019 provides that in respect of Internet of Things (IoT), a Decentralized Citizen-owned Data Ecosystems (DECODE) will develop a data-centric digital economy where data that is generated and gathered by citizens, the IoT, and sensor networks and that data generated by users in India from sources like e-commerce platforms, social media activities, search engines must be stored locally within three years.
Most countries do not have a data localisation requirement. The EU GDPR allows cross-border transfers of personal data to jurisdictions that have adequate/similar levels of controls. In the event the adequacy test fails, the GDPR sets forth the conditions for transfers by way of appropriate safeguards, use of standard contractual clauses, Binding Corporate Rules (BCRs), and conditions for derogations for specific situations in the absence of an adequacy decision or appropriate safeguards. No prior notice or approval is required.
China has the most comprehensive data localisation mandate. China’s Cybersecurity Law, 2016 and a range of related implementing regulations require personal information of Chinese citizens collected and generated by critical information infrastructure (CII) operators in China to be stored in China on Chinese servers. Further, CII and “important” information remains undefined and operators are required to provide encryption keys to the government.
Other countries have imposed specific restrictions in specific sectors like Russia, Vietnam, Indonesia (operators of public service), Australia (health records), Nigeria (subscriber data of tech and telecom firms and government data), Germany (telecom and internet service providers).
India’s objective appears to be asserting national sovereignty over valuable resource of a billion plus people and aspirations of economic benefit by providing a competitive advantage to local companies. However, a cost-benefit analysis must be undertaken before enacting the law as recommended by the Srikrishna Committee Report.
Data And Healthcare
The internet is built on technological capability and legal ability to move massive amounts of data across jurisdictions. India has greatly benefitted from the boom of digital services based on the premise of cross border data flow – IT BPO, Business Process Management solutions, global in-house centres, global cloud computational services, analytics services et el. Any attempt to restrict this unfettered cross border data flow will become a burden to companies in many sectors of industry.
The healthcare sector will be particularly affected by the data localisation directive. Consent is and will remain the cornerstone of scientific research and human subjects and health, biometric and genetic information are considered as Sensitive Personal Data under the Bill and the SPDI Rules 2011 of the IT Act, 2000. However, a data subject’s consent prior to international data transfer must not be onerous or restrictive.
Further, multinational pharma companies develop medicines that are safe and efficacious for use by patients around the world. To accomplish this, companies must conduct research and development (conduct global clinical trials) as well as monitor the effects of the medicines (pharmacovigilance) in different countries. Unfettered cross-border transfer and analysis of patient information is sine qua non.
India is a destination of choice for global clinical trials, research facilities, IT-enabled services centres and analytics hub for global pharma and healthcare companies. India missed the bus on the manufacturing boom but has the ability and the opportunity to leapfrog into the new value-added digital services of predictive/prescriptive healthcare, application of AI, and so on. Data localisation mandate/restrictions will stymie such prospects.
Instead of insisting on a blanket localisation mandate or cumbersome red tape, the bill must ensure that the primary purpose is met — that rights of data subjects are protected through adequate data security and appropriate privacy safeguards.
Krishna Sarma is managing partner at Corporate Law Group.