The European Union, which formulated its own data privacy law named GDPR this year, has said that India's move to localise data might be unnecessary, and on the contrary, may negatively impact businesses and investments in the country.
In a submission to India’s IT ministry, the European Commission — an EU body which proposes legislation — said that the new measures would create hassles for businesses.
"These data localisation requirements appear both unnecessary and potentially harmful as they would create unnecessary costs, difficulties and uncertainties that could hamper business and investments. This also applies to the exceptions in Section 40(3) which provide no clear guidance as to when the Central Government might consider an exception ‘necessary’ or in the ‘strategic interests of the State’,” Bruno Gencarelli, the head of international data flows and protection at the European Commission, wrote in the submission.
Gencarelli also raised other concerns such as the absence of clear diktat about exceptions to the localisation law where deemed necessary and the freedom the draft gives to the Data Protection Authority in terms of supervising, investigating and also adjudicating cases.
In a five-part opinion piece for TechCircle, Harsh Walia, an associate partner at law firm Khaitan & Co. based in Delhi, had raised similar issues. Walia stated that the draft Data Protection bill does not clearly mention how data will remain secure in India or reduce foreign surveillance. In fact, he added that countries that have implemented such a law have suffered gravely as it does not boost domestic trade and negatively affects a nation’s gross domestic product.
Gencarelli also said that “such localisation requirements are not necessary, be it from a data protection standpoint, as a matter of economic policy or from a law enforcement perspective” and pointed out that GDPR is "a regime that is open to (and in fact facilitates) international transfers while ensuring a high level of protection is possible."
He further added that GDPR offers a variety of flexible tools, adapted to different business models and transfers situations, ranging from adequacy to contractual instruments and from specific statutory transfer bases (so-called "derogations") to codes of conduct or certification mechanisms.
The European Commission submission also notified the IT ministry that data localisation might not be the only way to get access to data during an investigation. It said that this was a problem that the EU was also facing and was readying a legislation that would allow any entity to access data in such situations that remain inside or outside their scope of authority.