Explained: RBI’s new data localisation rules and what’s missing
India’s search for a data protection framework began from the Supreme Court judgment on the Right to Privacy delivered on August 24, 2017. The judgment, which overturned the Court’s earlier contrary judgments on the subject, highlighted the judicial intention of protecting personal information of individuals with the greater objective of protecting civil liberties.
Since then, much has happened in the sphere of data protection.
While the Srikrishna Committee has submitted its report on a national data protection framework and the ministry of electronics and information technology (MeitY) has circulated the Personal Data Protection Bill, 2018, the Reserve Bank of India (RBI) has issued rules for local storage of payments data. The RBI rules followed the circulation of the draft Digital Information Security in Healthcare Act (DISHA) that seeks to empower the health regulator to localise data. And finally, the RBI rules were followed by the issue of the draft National e-Commerce Policy by the Department of Industrial Policy and Promotion (DIPP) earlier this year, which forcefully restricts sharing of Indian data abroad.
The series of developments since the Supreme Court judgment conveys a couple of distinct impressions. The first is that of the Supreme Court judgment inspiring regulatory activism. This is particularly visible in a situation where India is yet to create an umbrella authority for regulating data. And the second impression is that of a judicial judgment delivered for protecting civil liberties being used by regulators and government agencies to justify protective economic policies.
Some analysts have argued that the Personal Data Protection Bill, 2018, proposes the template for data localisation in India. This is debatable. However, given that the Bill is premised on the core objective of safeguarding personal information and preventing breach of such data, it is not surprising that it proposes certain categories of sensitive data, defined as ‘critical’ personal data, needs to be stored exclusively in a server or data centre located in India. For non-sensitive personal data, the Bill needs processors to ‘mirror’ or store at least one copy of the data in an Indian server. The latter is transferable outside India, including to specific countries and sectors in these countries, if so decided by the central government and the Data Protection Authority that the Bill proposes to establish. These countries, obviously, need to be jurisdictions providing ‘adequate’ level of data protection, which could have been the influence of the European Union’s General Data Protection Regulation (GDPR).
The larger point to note though is that the Bill provides for cross-border transfer of even sensitive ‘critical’ personal data ‘to a particular country, a prescribed sector within a country, or to a particular international organisation that has been prescribed under clause (b) of sub-section (1), where the central government is satisfied that such transfer or class transfers is necessary for any class of data fiduciaries or data principals and does not hamper the effective enforcement of this Act’ [Section 41(3)(b)]. In effect, this clearly implies that, under specific conditions, the government can certainly allow transfer of sensitive personal data, including financial data, health data and data protected by passwords.
The flexibility on data transfer allowed in the Personal Data Protection Bill of 2018, however, is missing from the rules that RBI has announced for local data storage. Except for mentioning that only data for the foreign leg of the transaction, if any, can be stored overseas, the RBI rules insist on storage of end-to-end payments transaction data only in India. Financial data is defined sensitive by the Data Protection Bill. But while the latter mentions conditions under which such data can be transferred abroad, the RBI rules are completely silent in such possibilities.
There are two implications of the silence. First, RBI takes a much more strict, overarching and restrictive position on data transfers than the Personal Data Protection Bill, 2018, does. Second, it raises questions on which authority will have the final call on deciding circumstances over transfer of sensitive data. On payments data, for example, would it be RBI’s prerogative or that of the Data Protection Authority and the central government?
The overarching and strict posturing is also evident from the draft National e-Commerce Policy prepared by the DIPP. The policy not only prescribes localisation for all data generated by the Internet of Things (IoT) in public space, but also suggests narrow and limited grounds under which cross-border data transfers can happen. Furthermore, in going where no other rules and policies have gone, the policy insists on businesses storing Indian user data abroad to give immediate access to such data by central government agencies if they wish such access.
What is perhaps becoming increasingly clear is that the Supreme Court’s judgment has provided the framework for RBI and the DIPP to push hard on data nationalisation. These agencies now can fall back upon the judicial intent of safeguarding civil liberties for defending their policies on local data storage, restricting cross-border transfer, and even refraining from participating in global trade negotiations like informal e-commerce talks. This is truly unfortunate.