India's passage to data protection has a big local bump in the road
- India is finally getting its data protection act together, but there could be costly consequences for US and European companies as a result.
While India has been a destination of choice for offshoring of software development and associated services by European and US companies, its data protection environment has never been on a par with that of, for example, the European Union (EU).
When the landmark Information Technology Act of 2000 was introduced by the Indian authorities, it actually didn’t mention data privacy or protection at all. It took amendments to the Act in 2009 and 2011 to introduce some provisions, largely in order to protect the burgeoning Indian outsourcing industry from increasing questions from the EU.
With the rise of a global digital economy, India has attracted investment from the likes of Facebook, Salesforce and Google and badly needs to put in place a genuinely robust data protection framework. This was tasked to a committee chaired by government-appointed Justice BN Srikrishna, which late last week formally delivered a draft Personal Data Bill 2018.
There’s a lot in the draft Bill that mirrors the EU data regulations, including a Right To Be Forgotten and the creation of a Digital Protection Authority (DPA) to act as an independent regulatory body. There are also strict rules to ensure that personal data can be collected only for compliance with any law, employment and for any function of Parliament or any state legislature.
So far, so solidly ticking all the right boxes. But then there’s the question of cross border data flows, the answer to which is localisation of data. In other words, the Bill in its current form would require data about Indian users to be stored in-country, potentially landing digital tech providers with significant costs that could well reduce or eliminate the low cost skilled workforce benefits that attracted them to India in the first place.
The Bill is also fairly broad in its definition of what constitutes personal data and would have to stored locally, making it hard to estimate the scale of the possible problems ahead.
Not every member of the Committee that drafted the Bill is happy with the potential consequences. Rama Vedashree, CEO of the Data Security Council of India (DSCI) and also one the members on the Srikrishna Committee, argues:
To ensure growth of the digital economy while keeping personal data of citizens secure and protected, it is important that as a country we take a balanced view that can meet the twin imperatives of safety and security of Indian data as well as enable the flow of global data into and from India.
We as a country and Industry have been advocating the imperative of free flow of data and talent across borders. This is the foundation of the $167 billion IT-BPM industry represents and is India’s largest foreign exchange earner ($110B in 2017-18). IT-BPM Service providers in India process financial, healthcare and other data of citizens and companies in the US, EU, and elsewhere in the world and have created employment for over 4 million people.
Mandating localization may potentially become a trade barrier and the key markets for the industry could mandate similar barriers on data flow to India, which could disrupt the ITBPM industry. We are not` only a Global hub for corporations from more than 80 countries, but also the destination for leading Global Corporations for R&D, Product Development and Analytics, Shared Services. We are also one of the largest growing technology start-up hub in the world, who from India are offering their innovative solutions and services to global geographies often leveraging global cloud platforms, thanks to the fundamental principle of Cross Border Data Flows and Internet economy.
In another development, the Indian government is reported to be considering a policy of requiring e-commerce firms in India to store customer data locally. This is essentially the same idea as is contained in the wider draft Bill, but is a separate proposal designed to protect the increasingly buoyant Indian e-commerce market.
The market is dominated by Amazon and indigneous rival Flipkart. The latter is currently in the process of being bought by US retail giant Walmart in a deal that has attracted a lot of criticism from Indian businesses which warn of a US takeover of the sector at the expense of local firms.
The draft policy is the brainchild of a a think tank made up of officials from the Indian ministries of Commerce, Finance, Home, IT and Corporate affairs. The think tank argues that government should create huge server farms that would have infrastructure status.
A separate division of the existing Directorate of Enforcement would handle complaints related to foreign direct investment in the e-commerce sector, while the Competition Commission is urged to adjust the threshold limit at which it intervenes to examine mergers and acquisitions.
This could be a very big deal with global implications. That ‘lift and shift to India’ mindset that made so much commercial sense a few years ago could become a rather more complicated business to manage. But India did need to take action to put its data protection house in order. The ‘too risky to offshore to India’ policy still lingers in certain sectors, most notably government and finance.
Mirroring so much of GDPR (General Data Protection Regulation) is sensible in terms of dealing with the EU. The impact in the current ‘bring it back to America’ administration of Donald Trump is less clear. There’s time to get things right of course. This is only the first draft. But the elephant in the room is going to be the localisation aspect and that’s going to be a tricky circle to square.
Still, full marks to India for what looks like GDPR-India! Now, where are we on GDPR-US?