Relaxation of the government’s data localization requirements in the upcoming Digital Data Protection Bill is set to help companies maintain parity of operational costs, industry stakeholders told Mint. The new Bill, which according to industry sources is likely to be released on Friday, November 18, is expected to identify ‘friendly geographies’ to host their data, as opposed to earlier versions which required sensitive data to be stored only in India.
“The biggest roadblock to mandating compulsory localization of data is the sheer cost of moving mass-scale data operations to India, from established markets such as the US or EU. It is not just their data that a venture would have needed to shift — migrating and localizing data in the country would require the data infrastructure’s mainframe, and a host of applications built on the mainframe, to be built in India,” said Sanchit Vir Gogia, founder and chief analyst of market research firm, Greyhound Research.
This, Gogia added, would have “more than doubled” the cost of handling and operating data for domestic firms. As a result, mandatory data localization could have ended up having a massive impact on both startups as well as larger companies, which typically use US-based data hosting and cloud services platforms such as Amazon Web Services (AWS), Microsoft Azure and Google Cloud, among others.
Mint reported yesterday that the new Digital Data Protection Bill will help ease compliance for companies in India, by relaxing ‘some’ data localization, processing and storage norms.
To be sure, startups and companies had voiced concerns regarding compulsory data localization proposed by the previous Data Protection Bill — scrapped by the union government on August 3. At the time, Rajeev Chandrasekhar, union minister of state (MoS) for information technology (IT), said that the compliance burden upon homegrown startups was one of the reasons for which the previous Bill was withdrawn.
Experts now state that with the new Bill, India’s approach to data protection could be in line with Europe’s General Data Protection Regulation (GDPR) — among the most notable data protection laws in the world.
N.S. Nappinai, a Supreme Court lawyer and founder of cyber safety initiative Cyber Saathi, said that India’s approach could be “in line with the standards that GDPR has so far established.”
A person familiar who has been involved in consultations on the bill said that it may provide for fines of up to ₹200 crore multiplied by the number of impacted users in the case of misuse or mishandling of data. A data protection board will be setup, which will decide the value of such fines.
According to Nappinai, the approach to identify ‘friendly geographies’ to store and process data could also be similar to the EU-US and Swiss-US Privacy Shield frameworks — which define compliance for companies across the two regions in terms of data storage, transfer and processing.
Kazim Rizvi, founding director of policy think-tank The Dialogue, concurred with Nappinai, stating that the new approach could be “critical for attracting foreign investments and pushing digital exports.”
According to Rizvi, such a ‘principle-based framework’ could help India “fulfill the objectives of deploying safeguards to ensure security, privacy and data protection while allowing data to flow freely across borders.”
“It can also create a trusted environment for countries to enable data transfers and minimize business compliance, whereas India must look for principles that form the bedrock for the safety and security of data in other jurisdictions across the data lifecycle,” Rizvi said.
Gogia added that the relaxed data localization norms could still mandate that firms would need to facilitate instant and easy access to critical operational data, if the same is summoned by the government for legal requirements. While the same is done by companies presently on a voluntary basis, the upcoming Digital Data Protection Bill is likely to mandate the same.