[This is in continuation of earlier articles on PDPA 2018]
There is a strong opposition to the proposal in PDPA 2018 about the Data Localization requirement which has already been discussed in the earlier articles.
There are a few specific questions that are coming up in the discussion about Data Localization, namely
“Is Data localization has any relation to Privacy”? ..
“If only a copy is being maintained in India and another copy is anyway going to be maintained elsewhere, how does it provide more security”?
” What is the meaning of a Serving Copy”?
I am sure that different view points will prevail on some of these matters but I would like to place my personal views on these.
“Is Data localization has any relation to Privacy”?
According to the diktat of the Supreme Court in the Puttaswamy judgement, Privacy Right is a fundamental right in India. There is therefore an obligation for the Government to take all measures to ensure that the Privacy of an Indian Citizen is protected.
To repeat what we have said earlier, “Privacy” is an “Individual Preference” of a person on what makes him feel “left alone”. What is “Privacy” for one is “Not Privacy” for another. What is Privacy for a person at one time is not Privacy for the same person at another time. This being the nature of Privacy and it being a matter of individual preference and choice, it is difficult to provide privacy protection by a law applicable to all.
What we are therefore doing is to focus only on “Information Privacy” meaning that we give control to the data principal to determine how some information can be collected, processed and shared. The entire exercise is therefore only related to “Personal Data Protection” and nothing else. To call this exercise as “Privacy Protection” is perhaps a misnomer but we need to put up with the situation as there may not be an alternative.
In this “Personal Data Protection Approach” to “Privacy Protection”, we need to define what is “Personal Data” and “What kind of protection we should provide”.
In order to design a guideline for such data protection, the PDPA 2018 defines data in different categories namely “Personal Data”, “Sensitive Personal Data”, “Critical Personal Data” and also “Personal Data exempted from some restrictions” for reasons of “necessity” and “strategic interests of the State”.
Coming specifically to the Data Localization, it is felt that if the Government of India needs to protect the personal data of an individual then it should have the control on the personal data. If I send my personal data to some unknown person in Timbaktu and expect the Government of India to take responsibility for its protection, it will be an unreasonable expectation.
Therefore it is reasonable for the Government to propose that “Data Shall Remain In my control” and this translates into the “Data Localization” in the Act. The industry however looks at only the commercial aspect of the requirement and thinks that any change from the current scenario may involve additional cost and therefore they donot want Data localization. If Cost is the only criteria, let us appreciate that the Privacy Protection itself imposes a cost and if there was no PDPA 2018, there would be no cost.
The industry is behaving in a strange fashion by first fighting with the Government for the legislation and now trying to stall its implementation by irrelevant arguments on data localization.
Recognizing this opposition perhaps, Government has actually diluted the Data Localization principle by providing that only the “Sensitive Personal information” is subject to strict data localization. The “Critical Personal Information” will also be subject to similar strict data localization but it will be restricted to some specific categories that the Government may have to notify. On the other hand the “Personal Information” which is not considered sensitive can continue to be processed and stored any where except that one “Serving Copy” has to be kept within the boundaries of India.
This need for local storage is restricted to data that is originating in India or is being processed in India and should therefore first be stored here and then a copy forwarded outside.
The Government has also been considerate in not insisting that the entire processing has to take place in India since only a “Serving Copy” needs to be retained. The processing can still take place elsewhere.
Thus Government is trying to yield to the industry pressure and allowing the cross border outflow of personal information for which it has prescribed under Section 41 the various means such as standard contractual clauses, adequacy of protection in a given country or sector, or upon specific consent and also when there is a “Situation of Necessity”.
The provisions are therefore very flexible and perhaps too flexible for hard core privacy activists.
The objections raised on this ground therefore lacks conviction.
“If only a copy is being maintained in India and another copy is anyway going to be maintained elsewhere, how does it provide more security”?
This is the genuine grievance of a hard core Privacy Activist and needs to be addressed through a proper system of approving of countries on “Adequacy” principle, incorporation of “Standard clauses” and “Informed Explicit Consent”.
The Data protection Authority should be expected to take necessary measures in this regard.
” What is the meaning of a Serving Copy”?
The meaning of “Serving Copy” can be interpreted in any manner based on our expectations. I feel that the intent is to ensure that it should mean a current live copy which is dynamically updated with every transaction and not a back up copy.
Since the Act applies only for data which originates from India, the local server copy can be the first instance of the data which then can be sent outside for back up storage.
Where there is a need for processing abroad, the local server should be the gateway through which the data goes out and it should return to India after processing. The facility outside India should work like a “Processing System” and not a “Processing cum storage system”. After the processing the data can be received back in India and stored here. A back up of this stored copy can be sent outside for back up storage if required.
If any company adopts a different process then they should satisfy the authorities on “Unfailing Synchronization” so that the copy in India is always the latest copy from which further transactions have to take place. The Data Protection officer should take care of this during his impact assessment.
(P.S:. As said earlier, this is only one opinion and it is possible that there may be alternate opinions also. I welcome sharing of any views and comments on the above)
Naavi