Big tech is in a knot over data localisation norms.
NEW DELHI: The release of the ecommerce policy, which recommends a much stronger form of data localisation, has added to the woes of foreign internet and social media companies like Amazon, Google, Facebook, and Twitter , which were already reeling under the provisions of the Srikrishna committee’s draft data protection law — which seem milder in comparison now.
The ecommerce policy has mandated that data hosted of Indians on ecommerce platforms, social media, search engines, etc, would have to be stored “exclusively” in India, while the Justice Srikrishna committee draft data law had recommended that ‘one copy’ of all personal data has to be stored in India and only critical personal data – as defined by the government – will be stored only in India.
Sangeeta Gupta, chief strategy officer at NASSCOM, said that there can’t be multiple such policies for data protection with different recommendations by the Reserve Bank of India, under the ecommerce policy and by the Srikrishna committee. “The law has to be one.”
Gupta added that from an industry point of view, “Somewhere the focus of data protection and the importance of privacy has been subsumed as localisation rather than what is required for data protection,” she said.
Nasscom has always stood for cross border flow of data and will raise the issue during the consultation process for the Srikrishna committee draft and will request the same for the ecommerce policy, Gupta added. The draft Data Protection Bill , which was submitted to the government last week, if accepted will impact a wide array of companies, and include all and any firm which collects demographic data of residents such as name, address and age. This will include all social media and internet firms, along with email services providers like Google’s Gmail, ecommerce firms, telecom companies and banks among others. Google, Facebook and Twitter did not respond to ET’s request for comments.
The mandate had also split the 10-member committee with two members giving dissent notes against the proposal. Rama Vedashree, CEO of the Data Security Council of India (DSCI) and also one the members on the Srikrishna Committee told ET that “data localisation now seems to be every ministry and regulator’s favourite mantra without any evidence that it will guarantee data protection or privacy”.
Vedashree was one of the two members who submitted dissent notes calling the approach “regressive” that negates the entire tenet of cross-border data flows, which made India a global IT hub. She also has reservations of passwords and financial data being categorised as sensitive personal data. “If IT services and BPM industry in India are managing financial and health data from 80-plus countries, including advanced analytics, it’s only fair our data protection policy allows free cross-border data flows, but mandate stringent privacy protection by all data controllers and processors.”
The recommendations by both the ecommerce policy as well as the Srikrishna committee are expected to see a huge backlash from almost all industry bodies, which have already been slamming the Reserve Bank of India’s (RBI) directive to all payment companies to store data only in India. Mukesh Aghi, president, US-India Strategic Partnership Forum (USISPF) told ET that each company leverages a unique technology platform, global infrastructure and business model and there is no one-size-fits-all solution. “The government should recognise this and allow companies to propose a discrete approach reflecting the nature of its own operations and seek concurrence from the government.” He added that localisation may increase the cost of compliance in India. As far as the RBI directive is concerned, USISPF will be advocating for the “only in India” clause to be withdrawn and extending the current timeline beyond October 2018.
Agencies such as the US India Business Council (USIBC) have also said that there are some areas of concern in the draft data bill. “USIBC will seek to work with the government of India to further improve the bill prior to its due consideration by Parliament. Privacy, security, data fidelity, and cross-border data flows are critical to India’s leadership of the global digital economy and innovation. We must work together to get this right,” the US-Indo lobby group said on Twitter.