India’s Data Localization Push Highlights GDPR Divergence
As India moves ahead with a new data privacy law, it is unclear how data localization proposals can be reconciled with the EU’s General Data Protection Regulation (GDPR), according to panelists at a recent conference in New Delhi. The Personal Data Protection Bill (PDP) 2018, which was released last July, is expected to be tabled in parliament in the coming weeks. This was the main topic of discussion on INBA’s 8th Annual International Conference titled 70th Constitution Day on November 26, 2019 at Shangri-La Eros, New Delhi.
Among the bill’s many provisions is the requirement for data processors to store at least one copy of the defined personal information on a server or data center in India. In addition, critical personal data can only be processed on a server located within the country.
Ashwin Jayaram, chief executive officer at cyber security company Cybourn, said the data localization requirements in India’s draft PDP are proving very problematic as they do not conform to the GDPR.
Given that so many transactions take place not only in India but outside the country, keeping a copy of the relevant data within Indian borders is unlikely to be simple, he said.
Jayaram was speaking on a data privacy panel as part of the Indian National Bar Association’s (INBA) one-day inaugural session to commemorate India’s 70th Constitution Day on Tuesday (26 November) in New Delhi.
Enforcement would be a major challenge, Jayaram said. With so many transactions taking place, the question on how data localization will be enforced and enforced in a timely manner remains, he said. Companies would end up incurring hefty costs, he added.
Speaking at the same session, Ankura Managing Director (Data Privacy) Noriswadi Ismail said a key question is how India will reconcile its laws with the fact that there is no such thing as data localization in the GDPR.
Vinayak Godse, vice president at the Data Security Council of India (DSCI), said more debate is needed before the law is enacted.
“The data localization debate needs to be better understood,” he said.
In September 2018, the EU said India’s “data localisation requirements appear both unnecessary and potentially harmful as they would create unnecessary costs, difficulties and uncertainties that could hamper business and investments”. If implemented, this provision
would likely hinder data transfers and complicate the facilitation of commercial exchanges, including in the context of EU-India bilateral negotiations on a possible free trade agreement.
Microsoft India’s National Security Officer Deepak Talwar told the lawyers present that with a host of different regulations and laws coming up, data privacy laws should not be at the cost of innovation.
“We may have to do a lot of hard work on both sides” to ensure compliance with both the GDPR and the PDP, he said.
Aditi Mittal, legal counsel at Siemens, said that India’s data privacy bill requires companies to protect the privacy of both employees and customers. Lawyers need to ensure corporates have robust policies within their organisations to deal with both GDPR and PDP, she said.
Mittal agreed with Rama Vedashree, chief executive officer of the DSCI, who spoke earlier in the day, highlighting the need for companies to prepare now and not wait until the bill has been enacted.
Companies need to know what data they have and how it should be segregated, both for business purposes and regulatory requirements, Mittal said. If a customer takes back their consent, the requisite data must be erased from every single place where it is residing within the company, and this would only be possible if employees know where the different data resides.
By: Freny Patel, Parr