The Legal Implications of India's New Data Localisation Policy in 2024

Spread the love

This article has been written by B.Pooja, a 3rd year student pursuing BA. LLB(Hons) from SRM University.

Table of Contents

ABSTRACT:

New data localisation policy adopted by the Indian government, in 2024, makes sure that any type of data collected within the country is stored and processed locally. The policy enhances data privacy, security, and sovereignty but raises some significant legal implications. In this case, multinational companies operating in India have to adhere to the strict rules in terms of data storage. Legal issues range from ones taken from cross-border transfers of data, compliance with both Indian and international data protection laws, to concerns about business operations and innovation. This paper engages with the legal environment of India’s data localisation policy and its consequences on businesses and the broader global digital trade and data governance implications.

INTRODUCTION:

“Data localization is all about keeping data within the area where it was created. For instance, if a company collects information in the UK, it means they store that data right there in the UK and do not transfer it into some other country for processing.”[1]

“It’s about the laws that require data to be stored, processed, or transferred within a specific location.”[2] This concept has recently gained much importance with today’s digital world, where data would be a prime asset, and questions about data privacy and security are getting more severe along with data sovereignty. The control over where data is stored and how it is accessed plays a very important role in the relaxation of the flow of data, protection of citizens’ personal information, and prevention of data misuse.

“The global companies would usually carry out a one-size-fits-all approach in their operations, technology, and managing data, which treated all markets alike, for decades.”[3] Winning through scale is under stress today, as countries and regions across the world develop and enforce a multitude of overlapping – and in some cases even confusing – regulations concerning data privacy, protection, and localization.”[4]

India has in recent times taken an incredibly important stride in the journey toward data protection legislation, and while the Personal Data Protection Bill and the Information Technology Act are milestones, they laid a framework for the foundation of data privacy. However, it has been found that the current legal framework is wanting to address contemporary data security challenges, as well as the present-day boom in data generation.

THE CONCEPT OF DATA LOCALIZATION:

Data localization is the requirement set by a country’s laws that stipulates data must be stored within its own borders. This issue sparks plenty of debate because it touches on important matters like our personal privacy, the safety of our nation, and how we manage trade across borders. With more data moving around the world than ever before, it’s crucial to address the potential for that information to be misused.

The world has an evolving concept of data localization, considering the sheer volume being collected and processed in organizations; hence, the need for efficient storage, management, and protection of that data is indispensable. Data localization means a way for countries to have control over how data, especially personal data, is stored and dealt with. There has been considerable importance attached toward such data protection, privacy, and strict adherence to local laws and regulations.

“Scientists Predict that by 2025, our world will be generating an astonishing 463 exabytes of data every single day.”[5] To put that into perspective, it’s like having countless digital conversations, photos, videos, and interactions piling up all around us!”[6]

Of course, we have all been producing gigantic amounts of information for decades, so that, in and of itself should come as little surprise. It is because of this and the growth of cloud computing more generally, however, that regulators, privacy advocates, and consumers are all becoming increasingly anxious about where that information is stored and who can access it. In response, the numbers of data localization laws that have cropped up around the world have skyrocketed.

Types of Data Localization:

Absolute data localization:

The data is never allowed to leave its jurisdiction of residence, not even temporarily. If a country, like India, has enacted absolute data localization laws for critical personal data, there is no way for businesses outside such countries to transfer customer data out.”

Relative data localization:

It refers to the instance in which data is allowed to leave its jurisdiction under a predetermined set of circumstances. This is a much more common form of data localization. Although this makes it possible to share data across borders, organizations looking to access that information must navigate a complicated web of regulations to get there.

Physical Localization:

This means that the data must be kept on servers that are located within the country. Essentially, if you want to keep your information safe and compliant, it needs to stay right here at home.

Logical Localization:

Sometimes, it’s okay for data to be stored outside the country, but it still needs to feel like it’s local. This involves keeping the data organized and accessible in a way that users can interact with it as if it were right nearby.

Jurisdictional Localization:

Even if data is stored in another country, it’s still bound by the laws and regulations of the local area. So, no matter where your data physically resides, you need to ensure that it follows the rules back home.

DATA PROTECTION IN INDIA:

The privacy framework of India indeed has a long and storied history. It is known that the right to privacy was the first recognized by Indian courts and interpreted as part of the fundamental right to life under India’s constitution. Subsequently, this framework attained a formal existence under the Information Technology Act, 2000 (“IT Act”) and the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 (“Privacy Rules”). While the broad regulation of cyberspace in India is mandated by the IT Act, it is the Privacy Rules that articulate the compliances that are to be implemented to see how the Government handle your personal information in any of the categories mentioned above. These are short and nominal requirements like collection of consent beforehand, issue of a privacy policy, and security standards to be followed.

DATA LOCALIZATION POLICY 2024:

India’s upcoming Digital Personal Data Protection Act (DPDPA), set to take effect in 2024, is designed to protect the privacy of its citizens. This legislation aims to create a strong framework that will regulate how personal data is collected, used, and shared, ensuring that individuals have greater control over their information in our increasingly digital world.

KEY FEATURES OF THIS POLICY:

What the Policy Requires:

The 2024 data localization policy dictates that some kinds of data will have to be stored in India. These include:

Sensitive personal information should be kept safe and only handled within India.

Sensitive personal data, which may include health or financial information, can be transferred out but only subject to conditions, such as with the permission of the Indian government.

Different sectors need to comply with these rules, and some sectors are under more stringent requirements than others. For instance, finance related sectors, health care and telecommunication sectors are kept under more stringent due to the nature of the data they handle.

Which Are the Affected Sectors?

Banks and Finance:

They would have to keep payment data inside India as was mandated by earlier rules of RBI.

Healthcare:

Hospitals and telemedicine service providers will have to store the patient’s information locally; otherwise, it will not be available and also not secure and under Indian legal control.

E-commerce:

E-commerce companies such as Amazon or Flipkart will have to keep their customer information within the country, which will affect how they manage data across all their global operations.

Technology and Social Media:

Companies like Google and Facebook will have to make changes in their practice of handling data to meet the local requirements.

What If Companies Do Not Comply?

There are consequences if companies do not comply with these data localization standards. They may include:

Fines:

Companies might be subjected to paying millions in dollars if they are found to be non-compliant.

Limitation on Business:

In cases where the companies are found to be in non-compliance, the company could be restricted in operation or even barred from operating within the Republic of India altogether.

Again, the auditing by the government will ensure that firms meet all the requirements, and there will be better enforcement to ensure that there is observation of rules.

LEGAL EFFECTS ON INDIAN BUSINESS:

Needs to comply with Domestic as well as International Entities:

Indian businesses would need to alter their practices of data management in line with policy provisions whereas foreign ones could have to invest in domestic data centers and novel international data flows.

Companies running business in India could face a clash between localization requirements imposed by Indian authorities and data protection laws in other jurisdictions and potential legal conflicts.

Data Localization Implementation Costs:

Compliance Costs to Corporates:

The policy would increase the compliance costs to companies and incur expenses such as setting up local data infrastructure, maintaining it, as well as consulting lawyers to overcome some of the complexity in regulations.

Some small firms find this cost unbearable, hence are less likely to compete with the big firms which are in a better position to meet this cost.

Consequences for cross-border data flows:

“Data localization then often presents barriers to the smooth flow of information across borders, complicating international trade and cooperation.”[7] For instance, with the invalidation of the EU-U.S. Privacy Shield, the lack of proper data protection for international data transfer has raised attention, which may force a more stringent data localization for the protection of personal data. These policies can also further increase internet fragmentation and make it more difficult to maintain the global data networks.”[8]

IMPACT ON DATA PRIVACY AND SECURITY:

Proponents argue that by localizing data, security is enhanced because it restricts the accessibility of foreign access to sensitive data and maintains the national standards for data. It also has a chance of increasing the time associated with responses to cybersecurity incidents.

Others believe that in a locality, concentrating data in a few local data centers has the potential of making it an easier target for cyberattacks, which may increase the risks rather than decrease the risk.

Privacy Concerns and Impact on Users:

Stiff policy on data protection can be associated with more protection for the data of users; and more police powers can be raised as concerns where the government will indulge in more surveillance. Access by the authorities to private information will be compromised further in the policy without even serious mechanisms for legal protection being put in place.

Conflicting requirements of localization with international norms on data protection and user’s consent may raise privacy concerns.

CHALLENGES TO DATA LOCALIZATION IN INDIA:

“While this ‘soft localization’ approach allows for greater flexibility and quicker responses to urgent situations, it also results in a lack of regulation due to the absence of government notifications.”[9] In addition, the security and law enforcement interests of the government are not singly met by the enactment of legislation; instead, there must be full-fledged MLATs governing data reciprocity each time courts or enforcement agencies require it

Right now, India has signed 45 Mutual Legal Assistance Treaties (MLATs) with other countries. However, without an MLAT in place with certain nations, there can be legal complications.”[10]

The condition of data localization may enhance the risk of cyber security as the ability to share ‘threat data’ may become diminished (back-end data used to identify specific kinds of threats, including “threats, such as data on cyber-attacks and system vulnerabilities, with other countries, especially when there are no Mutual Legal Assistance Treaties (MLATs) in place.”[11][12]

CONCLUSION:

In conclusion, India’s 2024 Data Localization Policy marks a significant shift toward greater control over data within its borders, aiming to strengthen data security, support local businesses, and assert digital sovereignty. While the policy promises to enhance the protection of sensitive information and improve regulatory oversight, it also poses challenges for businesses, especially foreign companies and smaller enterprises, which may face increased compliance costs and legal complexities.

[1] https://www.cloudflare.com/learning/privacy/what-is-data-localization/

[2] https://medium.com/permissionio/what-is-data-localization-meaning-and-

laws-explained-64e80afd786c

[3] https://cloud.google.com/learn/what-is-big-data

[4] https://www.mckinsey.com/capabilities/risk-and-resilience/our-insights/lo

calization-of-data-privacy-regulations-creates-competitive-opportunities

[5] https://www.knowledgehut.com/blog/data-science/data-analytics-future

[6] https://www.immuta.com/blog/data-localization/

[7] https://itif.org/publications/2021/07/19/how-barriers-cross-border-data-flows-a

re-spreading-globally-what-they-cost

[8] https://www.csis.org/analysis/real-national-security-concerns-over-data-localization

[9] https://www.mondaq.com/india/privacy-protection/1522118/data-localization-in