Deccan Chronicle reports, based on Chinese mobile phone maker Xiaomi’s privacy policy, that the company transfers personal data of Indian users to third-party service providers outside the users’ jurisdiction. The privacy policy is quoted thus: “As such complying with applicable laws, we may transfer your personal data to any subsidiary of the Xiaomi group worldwide when processing that information for the purpose described in this privacy policy. We may also transfer your personal data to our third-party service providers, who may be located in a country or area outside the area of the European Economic Area (EEA)”. Xiaomi is the leading mobile phone maker in India, with a 27% market share in the fourth quarter of 2018, as per News18.

The report also says that MEITY in a response to an RTI query, said that it did not have any information about personal data transferred outside India’s jurisdiction and that the matter was of no concern to it. This is surprising, considering both the draft Personal Data Protection Bill 2018 and the draft national eCommerce policy have data localisation rules that address the flow of data outside India’s borders. While the DP Bill requires companies to store a copy of all personal data within India, the data storage requirements in the eCommerce policy are even more stringent. They severely limit the freedom of businesses to transfer or share sensitive data that is processed in India once it is outside the country, regardless of customer consent. In effect, they necessitate the setting up of data centres in India to minimise the need to store sensitive data abroad.

What the draft data protection bill says

Section 40, Restrictions on Cross-Border Transfer of Personal Data states:

(1) Every data fiduciary shall ensure the storage, on a server or data centre located in India, of at least one serving copy of personal data to which this Act applies.

(2) The Central Government shall notify categories of personal data as critical personal data that shall only be processed in a server or data centre located in India.

(3) Notwithstanding anything contained in sub-section (1), the Central Government may notify certain categories of personal data as exempt from the requirement under subsection (1) on the grounds of necessity or strategic interests of the State.

(4) Nothing contained in sub-section (3) shall apply to sensitive personal data.

(From the Personal Data Protection Bill, 2018; emphasis ours)

What the draft eCommerce policy says

In February the Department for Promotion of Industry and Internal Trade released India’s Draft eCommerce Policy, which addressed data localisation among many other issues. Read our comments to DPIIT on the policy here, and our summary of the policy here. Below is what it said about cross border dat flow:

“A business entity that collects or processes any sensitive data in India and stores it abroad, shall be required to adhere to the following conditions:

  • All such data stored abroad shall not be made available to other business entities outside India, for any purpose, even with the customer’s consent
  • All such data stored abroad shall not be made available to a third party, for any purpose, even if the customer consents to it
  • All such data stored abroad shall not be made available to a foreign government without the prior permission of Indian authorities
  • A request from Indian authorities to have access to all such data stored abroad shall be complied with immediately
  • Any violation of these conditions shall face the prescribed consequences (to be formulated by the Government).”

“Restrictions on cross-border flows of data shall not apply to the following:

  • Data that is not collected in India
  • B2B data sent to India as part of a commercial contract between an Indian business entity and a business entity located outside India
  • Software and cloud computing services involving technology-related data flows, which have no personal or community implications
  • MNCs moving data across borders… internal to the company and its ecosystem, and does not contain data that has been generated by users in India from various sources, including eCommerce platforms, social media activities, search engines etc.”

We have reached out to Xiaomi for comment. The post will be updated with their response.