The first draft required businesses to keep a copy of all personal data in India, and process certain types of personal data entirely within India.
It was opened for public consultation last year, but the Bill, in its final form, has not seen light of day. The ministry reportedly received over 600 submissions, but did not make them public. The government has held several rounds of consultations with different stakeholders post the first draft, but the Bill or any modification was not opened for further comments.
India has already faced opposition on its wide ranging measures on data privacy from major trade partners, including the United States.
In the run up to a more indigenous data protection
regime, the Reserve Bank of India (RBI), had in October 2018, made it mandatory for all payment service suppliers to store information related to electronic payments by Indian citizens on servers located within the country.
The United States
Trade Representatives (USTR) office opposed this because the RBI announced these measure without advance notice or input from stakeholders.
In its annual report on Foreign Trade Barriers, the USTR’s office had criticised the move arguing this would raise costs for payment service suppliers, and discriminate against foreign firms.
The issue had also been brought up by US President Donald Trump during his meeting with Prime Minister Narendra Modi in September this year, an external affairs department official, said.
“The US side has pushed hard on server localisation over the past few months, at one point, making the rollback of domestic requirements conditional to talks on a trade package,” he added.
This was done at the behest of major US conglomerates petitioning Washington DC, Indian policymakers believe. US companies have pointed out in their submissions to the US Congress that global firms were dependent on globally distributed data storage and information security systems will be targeted as a result.
Furthermore, mandatory domestic data storage requirements will hamper the ability of service suppliers to detect fraud and ensure security of their networks, the US-India Business Council also pointed out.
Experts have also said that the provision could potentially harm India’s $165 billion worth information technology services industry.
In a dissent note to the original draft, Rama Vedashree, chief executive officer of the Data Security Council of India, had said, “Mandating localisation may potentially become a trade barrier. The key markets for the industry could mandate similar barriers on data flow to India, which could disrupt the IT-BPM (business process management) industry.
Officials, however, maintained that the move does not constitute a non-tariff barrier to free and fair trade. “We are open to dialogue with trade partners on all issues. As of now, we reiterate that India reserves the right to frame its own policies in these areas,” a senior commerce department official, said.
The Bill is now scheduled to be tabled in the ongoing session of Parliament. However, there has been apprehension in the industry and the international community about how the final draft will handle the contentious issue of data localisation.
“The duty of Parliament is to scrutinise Bills thoroughly, not just on the floor of the house, but also via Parliamentary committees. The relevant committee can ask for public feedback, including feedback from the government,” said Chakshu Roy, head of legislative and civic engagement, PRS Legislative Research.
Any changes, therefore, can be introduced only at the Parliamentary Committee level or once the Bill is signed into law.