Data PrivacyData Localization in India: Implications for Businesses and Data Security

INTRODUCTION

In the recent years, India has eased its data localization stance, moving from stringent requirements to a more flexible regime. The Government now selectively restricts data transfers to certain notified countries, replacing blanket bans. This approach balances national security with global business needs. However, the absence of mechanisms like Standard Contractual Clauses (hereinafter referred to as “SCCs”) creates uncertainty for businesses in securing cross-border data transfers.

Despite general relaxation, sector-specific rules, like the Reserve Bank of India’s mandate for local storage of payment data, remain strict. Data localization mandates require companies to store data within India to protect national security, ensure data privacy, and support local law enforcement, but these rules also increase operational costs and complicate compliance for multinational companies.

The data localization push is part of a global trend driven by national security, data sovereignty, and economic benefits from local data centres. Businesses must understand and comply with these evolving regulations, investing in infrastructure and adjusting data management practices. The enhanced security measures are essential for compliance and protection against breaches.

India’s data localization approach requires businesses to stay informed and agile, balancing compliance with operational efficiency. As global data governance evolves, companies must adapt to meet both local and international standards, ensuring compliance, data protection, and smooth operations.

LEGAL FRAMEWORK

The Companies Act 2013 and the Companies (Accounts) Rules 2014

Under Section 94, in conjunction with Sections 88 and 92 of the Companies Act, 2013 (hereinafter referred to as “Companies Act”), covered organizations are obligated to store financial information at their registered office within India. This requirement encompasses a broad spectrum of data, including details concerning members of equity and preference shares, debenture-holders, other security holders, as well as annual returns filed with the Registrar of Companies.

Compliance with these provisions necessitates the establishment of robust data storage infrastructure within the Indian jurisdiction, ensuring that financial records remain securely housed within the country.

Reserve Bank of India’s Directive 2017-18/153 (April 6, 2018) under the Payment and Settlement Systems Act 2007

Paragraph 2(i) of the said Directive mandates the localization of payment data within India. Specifically, end-to-end transaction details and information collected or processed during payment transactions are required to be stored on servers located within the Indian Territory.

However, the directive allows for exceptions, permitting copies of payment data to be stored outside India if deemed necessary to facilitate foreign payment transactions. This regulation underscores the importance of safeguarding sensitive financial data and ensuring its secure storage within the country’s borders while also acknowledging the global nature of payment transactions.

Insurance Regulatory and Development Authority of India (hereinafter referred to as “IRDAI”) Maintenance of Insurance Records Regulation, 2015

Paragraph 3(9) of these Regulations imposes a data localization mandate on the insurance sector. It stipulates that all records related to insurance policies and claims, including those in electronic formats, must be stored within India. This requirement is critical for ensuring the accessibility and integrity of insurance-related data, facilitating effective policy management, and enabling timely claims processing.

Compliance entails the establishment of robust data storage and management practices tailored to meet the specific requirements of the insurance industry, thereby enhancing data security and regulatory compliance.

Digital Personal Data Protection Act, 2023 (hereinafter referred to as “DPDP Act”)

The Ministry of Electronics and Information Technology (hereinafter referred to as “MEITY”) previously introduced the Digital Personal Data Protection Bill, 2022 (Draft), drawing attention to its Section 17 on cross-border data transfers. This section mandated the Government to “whitelist” permissible territories, which faced criticism for potential disruptions to global business and conflicts with localization regulations.

However, the subsequent DPDP Act, under Section 16, allows Data Fiduciaries to transfer personal data to any unrestricted country, showing a shift from the stringent Draft provisions. Although the DPDP Act lacks explicit details on notification processes or safeguards, subsequent notifications or Rules are expected to clarify these. These safeguards might include consent requirements, data adequacy standards, and implementing private protections like SCCs.

The DPDP Act aims to balance data sovereignty with facilitating global data flows to promote business ease while acknowledging the necessity for stricter data protection measures. It allows sectoral regulators to enforce additional safeguards where needed, striving for a delicate balance between conflicting imperatives in the digital data landscape.

BUSINESS IMPLICATIONS

Compliance Costs and Operational Changes

1. Infrastructure Investments: Companies may need to invest in establishing or leasing data centres within India to comply with storage requirements mandated by law. This involves substantial financial commitments for building, maintaining, and securing data storage facilities.

2. Data Management Systems: Existing data management systems must be modified to ensure that data is stored and processed exclusively within India’s borders. This may require extensive reconfiguration of IT infrastructure and software applications.

3. Legal and Compliance Costs: Ensuring compliance with complex regulatory frameworks necessitates engaging legal experts and compliance officers to interpret laws accurately, navigate regulatory hurdles, and implement necessary measures to maintain compliance.

Impact on Business Strategies:

Data localization can significantly influence broader business strategies and operations:

1. Cross-Border Data Transfers: Businesses may encounter challenges in seamlessly transferring data across international borders, affecting global operations, collaborations, and partnerships. Complex regulatory requirements may lead to delays, increased administrative burdens, and heightened compliance risks.

2. Data Accessibility: Ensuring data accessibility and continuity for multinational teams becomes more complex and resource-intensive due to localized data storage requirements. Companies must implement robust data access policies and technologies to facilitate secure data sharing and collaboration across dispersed teams.

3. Enhancing Data Security: While data localization is often portrayed as a means to enhance data security, it also introduces new security challenges:

4. Localized Security Protocols: Companies must implement robust security measures in localized data centres to guard against threats. This includes using advanced encryption, access controls, and intrusion detection systems to protect sensitive data from unauthorized access and breaches.

5. Data Backup and Recovery: Efficient backup and disaster recovery within a localized framework are essential to prevent data loss or downtime. Companies must implement regular backups, off-site storage, and disaster recovery protocols. Data localization laws enhance security but pose challenges like compliance costs and operational changes. Businesses must navigate these complexities to ensure compliance, protect data, and maintain efficiency in a globalized environment.

JUDICIAL PRECEDENTS

The landmark judgement of K.S. Puttaswamy v. Union of India [(2017) 10 SCC 1] , delivered by the Supreme Court in 2017, recognized the right to privacy as a fundamental right under Article 21 of the Indian Constitution, significantly impacting data localization policies in India. This ruling emphasized the necessity of a robust legal framework to protect personal data, establishing that any infringement on privacy must adhere to the principles of legality, necessity, and proportionality.

Following this, the Indian government introduced the DPDP Act, to regulate personal data processing and ensure security and privacy. The judgment provided judicial support for sector-specific data localization regulations, like the Reserve Bank of India’s mandates for local storage of payment data, reinforcing the legitimacy of protecting sensitive information. It also allowed for judicial scrutiny of data localization mandates, ensuring they comply with legal standards and balancing privacy protection with operational feasibility.

Consequently, businesses must invest in local data infrastructure and adopt robust data protection practices to comply with these stringent requirements, aligning operations with global best practices in data governance​.

Similarly, the case of Distt. Registrar & Collector vs. Canara Bank (2004) [(2005) 1 SCC 496] has significant implications for data localization in India, particularly concerning the protection of personal data and privacy. The Supreme Court ruled that the powers given to the District Registrar and Collector under Section 73 of the Indian Stamp Act, 1899, as amended by the Andhra Pradesh Act, were ultra vires the Constitution. The Supreme Court found that these provisions were inconsistent with the Indian Stamp Act, violated principles of natural justice, and were arbitrary and unreasonable, thus infringing Article 14 of the Constitution.

This judgment underscores the importance of ensuring that regulatory frameworks do not overreach and violate fundamental rights, which is particularly relevant in the context of data localization. As data localization laws mandate storing personal data within national borders, they must balance regulatory objectives with the protection of individuals’ privacy rights. The Canara Bank case highlights the necessity for clear, fair, and non-arbitrary regulations, ensuring that data localization policies respect constitutional protections and do not impose undue burdens on businesses or infringe on privacy rights.

In the case of Harshita Chawla vs Whatsapp Inc. And Others [Case No. 15 of 2020], adjudicated by the Competition Commission, the decision to uphold data localization laws signifies a pivotal moment in contemporary governance. By mandating that companies like WhatsApp store user data within India’s borders, the Commission reinforced the nation’s sovereignty over its digital infrastructure.

This ruling underscores the Government’s commitment to protecting citizens’ privacy and ensuring data security in an interconnected world. The verdict reflects growing concerns globally about data privacy and the potential risks associated with cross-border data transfers. By requiring companies to localize data storage, the Commission aims to mitigate these risks and enhance regulatory oversight.

Moreover, the decision serves as a precedent for other jurisdictions grappling with similar issues, highlighting the importance of aligning policies with national interests. For multinational corporations like WhatsApp, compliance with data localization laws presents operational challenges but also opportunities for fostering trust with users and regulators. By adhering to local regulations, companies demonstrate a commitment to respecting the laws and values of the communities in which they operate.

Overall, the case underscores the evolving landscape of governance, where the balance between innovation and regulation is constantly being negotiated, and data sovereignty is fundamental to maintaining trust, security, and accountability.

In the case of Balu Gopalakrishnan v State of Kerala [W.P. (C). Temp No. 84 of 2020 along with other petitions] the Kerala High Court places an increasing reliance on digital technologies and the exponential growth of data exchanges. The Kerala High Court underscored the critical importance of data being housed within national borders. By emphasizing the necessity of compliance with data localization laws, the Kerala High Court highlighted the imperative for entities to align with regulatory frameworks designed to protect sensitive information, uphold privacy rights, and preserve national interests.

This decision reverberates within the broader global conversation surrounding data governance, reflecting a growing recognition of the significance of data localization in safeguarding individual liberties and maintaining regulatory control over data flows in an interconnected world. It serves as a clarion call for policymakers, industry stakeholders, and legal experts to engage in robust dialogue aimed at crafting comprehensive data protection measures that strike a delicate balance between fostering innovation, ensuring data security, and respecting fundamental rights.

Ultimately, the case underscores the evolving complexities of digital governance and the pressing need for adaptable regulatory frameworks that uphold principles of transparency, accountability, and user empowerment in the management of digital data.

AMLEGALS REMARKS

The data localization laws in India, as outlined by various regulations such as the Companies Act, RBI Directives, and IRDAI Regulations, signify a prominent shift in how businesses manage and store data. These laws aim to enhance data security, promote local data infrastructure development, and assert greater control over sensitive information.

However, the implications for businesses are multifaceted. Compliance with data localization requirements necessitates substantial investments in infrastructure, changes in operational processes, and ongoing legal and compliance efforts. While localization can bolster data security within India’s borders, it also introduces challenges related to cross-border data transfers, accessibility, and localized security protocols.

Looking ahead, businesses must remain agile and proactive in navigating the evolving regulatory landscape, ensuring that they not only comply with the law but also uphold robust data protection standards.

Ultimately, while data localization laws in India present challenges for businesses, they also offer opportunities for innovation and collaboration within the local data ecosystem. By embracing these regulations with strategic foresight and a commitment to data security, businesses can navigate the complexities of compliance while driving sustainable growth in the digital age.

– Team AMLEGALS assisted by Mr. Aman Bhide (Intern)