The Prime Minister’s Office (PMO) has taken over the task of overseeing India’s position on data localisation, as many trading partners, including the US and the EU, are up in arms against the government’s proposal of making it mandatory for all companies doing business in India to store at least one copy of personal data of consumers in a server within the country.

American companies such as Amazon, Microsoft and American Express, backed by the US government, have also expressed their unhappiness with the existing mandatory rule on data localisation in India by the Reserve Bank of India for payment systems despite the recent clarification from the central bank that in case of cross-border transactions, a copy of the domestic data can be stored abroad. “The PMO has asked various Ministries including Commerce and Industry and IT on their views on the controversial issue of data localisation. It wants to take a decision after taking into account all points of view,” a government official told BusinessLine.

US apprehensions

American companies have made representations to the PMO to protest against the data localisation rules stressing that it would make their operations more complicated and costly.

The draft data protection Bill, put together by the Ministry of Electronics and IT (MeitY), based on the recommendations of the Justice Srikrishna committee report on data protection submitted last year, has resulted in a lot of controversy, especially for its suggestion on data localisation.

The Srikrishna Committee emphasised that data localisation was critical for law enforcement as it is easier for agencies to access information required for the detection of crime as well as in gathering evidence for prosecution if it is available within their jurisdiction as compared to awaiting responses to requests made to foreign entities which store data abroad. Under the draft data protection Bill, the data localisation rules emphasise that one copy of all personal data to which the law applies are to be kept in a server within India. Further, certain categories of data, which are to be specified by the government as critical personal data are to be stored in India alone.

The requirements for cross-border transfer of data are also imposed.

“While MeitY was initially aiming at ensuring that the data protection Bill is placed before Parliament in the on-going session, the opposition from other countries and foreign players, has delayed it. Now that the PMO has taken over, it may take some time before the Bill is finalised,” the official said.

The cost factor

The reason for foreign companies to oppose data localisation is mainly that the cost involved would be significant as they would have to set up servers and the entire required infrastructure including hiring of personnel to store data in India.

The RBI, which made data localisation for payments system mandatory last year, received so much criticism from foreign players that it had to come out with a clarification on implementation issues.

As per the clarifications, there is no bar on the processing of payment transactions outside India, but the Payment System Operators will have to ensure the data is stored only in India after processing.

In case the processing is done abroad, the data should be deleted from the systems abroad and brought back to India not later than the one business day or 24 hours from payment processing, whichever is earlier.

The same should be stored only in India. The data stored in India can be accessed for handling customer disputes, whenever required.

“The RBI is now not keen to make any more concessions in the data localisation rules for payment systems but the companies don’t seem to be giving up,” the official said.