Hindu Business Line today carries an article stating that according to “ITU-APT”, the data protection Bill as envisaged may impede the right of foreign nationals.
The report also holds a threat that foreign jurisdictions may bar use of servers located in India.
This threat has come in the form of a letter written to the TRAI.
ITU-APT Foundation of India claims to be a non-profit, non-political, non partisan industry foundation registered under the Societies Act in India. The parent organization is a Geneva based international organization having presence in other countries such as USA. The representation appears to have been led by FaceBook/Meta.
While we donot have the copy of the representation, the Business Line report indicates the following views expressed by the Association in the letter.
- The DPB 2021 does not contain provisions that prevent Government access to data of foreign nationals stored in India.
- The draft law will hamper user rights and could prevent cloud service providers and other entities from locating their servers in India
- “Critical Personal Data” (a term that is yet to be defined) cannot leave except in very limited circumstances such as health and emergency services or where the Central Government allows such transfer.
- The association contends that the draft DPB 2021 currently does not expressly consider the case where personal data may be located in India due to localization requirements but could be subject to the laws of the country in which such data originated. It does not address the possibility of Government access to such data in a way that over rides the protection provided to personal data in other jurisdictions. This may, in turn, hinder the ability of cloud service providers and other entities to locate their servers in India as foreign jurisdictions may bar them from doing so on account of data security concerns (for instance, due to the inability to get approval from foreign jurisdiction regulators to store data in India owing to concerns such regulators may have about protection of their citizens’ data).
We are not clear if this representation has been made by the parent body directly or the local arm of which Shri Tilak Raj Dua is the Chairman, Shri Bharat Bhatia is the President.
We would like to however point out that the argument of the organisation is based on incorrect interpretation of the Bill and we would like to explain why we feel that India requires a stronger Data Localization law than what is proposed in DPB 2021 in the light of the risk that has been highlighted due to the Russia-Ukraine conflict.
Russia Ukraine Conflict has exposed a new Risk
We donot want to go into who is correct or who is wrong in the Russia-Ukraine/Nato/US conflict. We donot want to argue whether USA’s destruction of Iraq suspecting nuclear arms was justified or Russia’s invasion of Ukraine suspecting Bio Weapon factories run under the US patronage (like the Wuhan lab which could have manufactured the Covid virus), is more justified.
We can however focus on the action of many US companies which stopped services not only in Russia but also in India to private companies who had some business commitments to fulfil.
It is the prerogative of these companies to join a war for any cause but when their interests threaten Indian interests, we need to recognize it as a risk. Today we have recognized that there is a “China Risk” in depending on Chinese telecom equipment. But a similar risk appears to have emerged in the services of the US companies. The VISA for example stopped its Card processing services in Russia. What prevents them from bringing similar pressure on India if they are unhappy with the RBI regulation on data localization?
If FaceBook exits from India, there is no problem. It would be a blessing in disguise for the Indian society. But what if Microsoft or Adobe is arm twisted by the US Government to stop their services in India through the backdoors they maintain on their software?
Microsoft , and Apple also have a huge data collected from their “One Drive” feature which is more or less mandatory to be used for users. Google again is another US company which holds data about Indians beyond what is reasonable. If they ever stop access to such data then Indian citizens and Government will feel the real pinch of an Information war.
Is there a guarantee that these companies will not join a war in a fit of anger on India’s Kashmir policy or if Pakistan disintegrates and Baluchistan requests India’s help on humanitarian grounds to be liberated like Bangladesh?.
Like US sending their aircraft carrier during the Indo-Pak war of 1971, what is the guarantee that all windows computers in India stop working and all Adobe PDF documents vanish?
To counter such risks however remote they may be, India needs to take action through its current law namely ITA 2000 as well as the proposed Data Protection Law.
In this background let us see if ITU-APT ‘s objections hold any value.
- ITU-APT says that DPB 2021 does not contain provisions that prevent Government access to data of foreign national stored in India.
Though it is our sovereign right under which any asset any where in India can be accessed in the national security interests, we must draw the attention of ITU-APT to section 37 of the Bill which states
Power of Central Government to exempt certain data processors.
The Central Government may, by notification, exempt from the application of this Act, the processing of personal data of data principals not within the territory of India, pursuant to any contract entered into with any person outside the territory of India, including any company incorporated outside the territory of India, by any data processor or any class of data processors incorporated under Indian law.
This section gives a provision that Government may grant exemption from the Indian law for personal data of foreigners stored in India subject to a notification. Hence all the arguments built by ITU-APT are false and qualifies to be called a deliberate mis information.
It is not however necessary that India should become a safe haven and any data processed in India which may hold a global humanitarian threat or Indian national security, should not be touched by the Indian law enforcement agencies.
For example, if the data pertains to a foreign agency running a Bio Weapon facility anywhere in the world, or related to planning of a terrorist activity anywhere in the world, it would be the bounden duty of the Indian Government to investigate not withstanding the data being that of a foreign national and being processed in a server belonging to a US entity.
When laws are made, there have to be empowerment for such eventualities along with appropriate checks and balances to ensure against misuse. Presently we are only discussing the basic provisions of the Bill where for empowerment purpose, provision of access under emergent situations must exist. The checks and balances will have to be discussed when the rules are framed by the DPA.
We already have Section 69/69A/69B/70B of ITA 2000 which ITU-APT should study and raise any objections if they have got. Probably they are not even aware of the law called ITA 2000 which is the current data protection law of India and will continue even after DPB 2021 becomes a law.
Hence the objection of ITU-APT on this ground is unfounded.
2. Regarding the hampering of the Cloud service providers, it is a business decision that these service providers may take whether they should have their services in India or not. There will be around 2 years time and India will try to develop its own services for data storage if these cloud service providers want to deny their services.
Even if the cloud service providers are prevented by their respective Governments to store the data originating from their country in India, it is their choice. If the cloud service providers are aware of a technology called “Encryption” or “Pseudonymization”, they can still use Indian servers and manage the local legal requirements. Perhaps ITU-APT does not think that the companies who have a need to store data in a cloud are not aware of such access control measures to address the concerns.
We strongly feel that there is no need for Indian Government to create a safe haven for International data to satisfy the concerns of ITU-APT. We need to take care of our national interests first and the protection of the legal obligations of the cloud service providers to a foreign country has to be subordinated to the Indian interests.
3. Critical personal data was an empowerment that the Government of India built into the law to protect contingent concerns. Now the Russia-Ukraine war and the private sanctions of commercial MNCs on other commercial organizations in India ignoring international law have underscored the need for this provision to be clarified if required.
Government may therefore declare that
“Critical Data” includes personal and non personal data, the incapacitation or destruction of which , shall have debilitating impact on national security, economy, public health or safety.
For the purpose of implementing the cross border restrictions on Critical personal data, all organizations handling such data shall be considered as “Significant Data Fiduciaries” and assure the DPA through a registration agreement to protect the Indian interests at all costs.
4. The ITU-APT has not considered the fact that DPB 2021 basically applies only to data that has its origin in India, It does not affect the personal data of a foreign citizen originating abroad and processed aboard.
If such data is brought to India for processing, then Section 37 exemption as well as the security tools such as Pseudonymization, Encryption and Anonymization can be used by the Data Exporter to protect the interests of the foreign citizens.
There is no need for India to dilute its laws for the sake of data exporters from other countries who donot want to invest in appropriate security technology.
It therefore appears that the representation of ITU-APT is devoid of merits and has to be rejected.
I request the TRAI not to initiate any action in this regard. Additionally we urge the Government to tighten the Section 33/34 provisions of DPB 2021 and make it mandatory for a copy of all data transferred out of India henceforth has to be kept in India. Additionally as recommended by the JPC outside the Bill, all data transferred out of India in the last 3 years need to be brought back to India as a copy.
Naavi