“India has proposed and promulgated several data localisation requirements that would serve as significant barriers to digital trade between the United States and India. These requirements, if implemented, would raise costs for service suppliers that store and process personal information outside India by forcing the construction or use of unnecessary, redundant local data centres in India … [and] could serve as market access barriers, especially for smaller firms,” the United States government said in its latest National Trade Estimate Report on Foreign Trade Barriers dated March 2022. The report also hits out at the Information Technology (IT) Rules, 2021, for being burdensome on US firms.
The Indian government has been promoting data localisation on multiple fronts with the Reserve Bank of India leading the way for the financial sector and the Data Protection Bill proposing norms for all other sectors. While multiple companies and trade bodies have objected to these provisions, the US government’s objections hold more sway and could bring about actual changes in policy.
What are the US government’s objections to the data localisation norms?
- RBI’s norms in the financial sector: In 2018, RBI issued data localisation guidelines for all payment companies operating in India. As part of these guidelines, payment companies are required to store all information related to electronic payments by Indian citizens on servers located in India. As a result of these guidelines, Diners Club, American Express, and Mastercard were barred from issuing new cards in India. While the restrictions on Diners Club have been lifted, the other two companies continue to be barred. “The United States is monitoring the situation as discussions continue between the RBI and these U.S. electronic payment service suppliers,” the report stated. The US government had criticised these RBI norms in last year’s report as well.
- Issued without advance notice: In its report, the US government complained that these guidelines were issued by RBI without advance notice or input from stakeholders.
- Disadvantage for foreign firms: The US government pointed out that the data localisation guidelines are a disadvantage for foreign firms, which are more likely to be dependent on globally-distributed data storage and information security systems.
- Affect ability to detect fraud: Data localisation also hampers the ability of companies to detect fraud and ensure the security of their global networks, the report said.
- Data Protection Bill: The Data Protection Bill, 2021, which was tabled in the parliament in December last year, states that sensitive and critical personal data must be stored in India and can only be transferred outside India under certain conditions. The Joint Parliamentary Committee’s report on the Bill also recommends that the government gradually prepare an extensive policy on data localisation for all categories of data and a policy to bring a mirror copy of the sensitive and critical personal data which is already in possession of the foreign entities. “U.S. firms remain concerned that the new bill will negatively affect firms’ ability to transfer data across borders, the authority of the DPA [Data Protection Authority] remains unclear, and the bill may require sharing of certain categories of non-personal data,” the US government trade barriers report stated.
- Imposes onerous conditions: “The bill would impose onerous conditions on the cross-border transfer of “sensitive” personal information, requiring “explicit consent” by the owner of the data,” the report stated. The US is not alone in pointing out the compliance burden of the data localisation requirements.
- No protection for trade secrets: The report also pointed out that there is little recourse for firms in the event of misappropriation of their sensitive information because of the absence of standalone trade secret legislation.
- Undermines ability of foreign firms and does not increase privacy: The provisions of the Bill undermine the ability of foreign firms to supply many services to Indian consumers on a cross-border basis and would not increase the protection of personal information, the report stated. Speaking at a MediaNama discussion in January this year, many experts argued how restrictions on cross-border data transfer will hurt Indian companies that depend on global tools.
- Data sharing under Non-Personal Data framework: In December 2020, a committee of experts on Non-Personal Data (NPD) released a revised report on the Draft Non-Personal Data Framework, which aims to regulate the sharing of NPD. “The proposed Framework would impose burdensome requirements on domestic and foreign firms, including requests for mandatory data sharing, administrative obligations, and extending consent obligations to anonymized data,” the US government said. “Additionally, these mandatory data sharing requirements may affect copyrighted content, patent, and trade secret protection,” the report added.
- Changes to e-commerce policy: The Indian government is also working on amendments to the E-Commerce Rules, and although the latest draft does not deal with data localisation, earlier drafts proposed data localisation requirements and restrictions on cross-border data flows; and expanded grounds for forced transfer of business-sensitive information, trade secret information, and other intellectual property and proprietary source code. “The United States has strongly encouraged India to reconsider this draft policy,” the report stated.
IT Rules are troubling and burdensome for US firms
India’s IT Rules, 2021, which were published in February last year, govern a wide range of internet companies such as social media and messaging platforms. Objecting to these rules, the US government said:
“The Rules impose a number of requirements that are either troubling or burdensome for U.S. firms. For example, the Rules impose personal criminal liability on individual employees. The Rules also include an obligation to identify the first originator of information, a requirement to appoint a local compliance officer, imposition of and impractical compliance deadlines and take-down protocols. In 2021, U.S. firms have been subject to an increasing number of takedown requests for content and user accounts related to issues of domestic concern.” (emphasis ours)
- RBI Allows Diners Club To Start Reissuing Credit Cards In India, Mastercard And Amex Continue To Be Barred
- Data Protection Bill 2021: Summary Of Data Localisation Norms And Restrictions On Cross Border Data Transfers
- Data Protection Bill: Issues Around Cross-Border Transfer Approval, Data Localisation, Adequacy, And Exemptions To Foreign Data #NAMA
- Data Protection Bill: Restrictions On Cross-Border Data Transfer Will Hurt Indian Start-Ups That Depend On Global Tools #NAMA
Have something to add? Post your comment and gift someone a MediaNama subscription.