BENGALURU: The European Union, which passed the ambitious internet privacy law ( GDPR ) in May, has termed the data localisation requirements proposed by India as unnecessary, harmful and likely to have negative effects on trade and investments. The proposed data protection policy in India requires every data fiduciary to store at least one copy of personal data collected on a local server or data centre.In its submission to the Ministry of Electronics and Information Technology ( MeitY ) on September 29, the European Commission said such regulations would create “unnecessary costs, difficulties and uncertainties that could hamper business and investments”.In the written submission, Bruno Gencarelli, the head of International data flows and protection at the European Commission, also said the draft policy contained no clear guidance on when the central government might consider an exception “necessary” for processing data outside India. It also raised concerns on the independence of the Data Protection Authority of India that would supervise and investigate the application of the law, and the exemptions for the free collection and processing of data in the interest of ‘national security’.The last day for submissions on the policy consultation was September 29. While the government has not yet disclosed the number of submissions it received, the Internet Freedom Foundation has filed an RTI seeking details of the submission made to the government. The European Commission published its submission to MeitY on its website on November 19.The commission said India’s endorsement of a high level of data protection would constitute a critical example at a moment when there is an increasing demand for international standards on privacy. In this regard, “such localisation requirements are not necessary, be it from a data protection standpoint, as amatter of economic policy or from a law enforcement perspective”, the commission said, adding that the EU ’s GDPR did not contain any data localisation requirements and offered flexible tools to different business models and transfer situations.The submission also warned that a data localisation proposal would create significant cost for companies, especially foreign ones that would have to set up additional processing, storage and duplication infrastructure. “Contrary to what is sometimes suggested, India’s striving tech industry does not need this type of forced-localisation measures … If implemented, this kind of provision would also likely hinder data transfers and complicate the facilitation of commercial exchanges, including in the context of EU-India bilateral negotiations on a possible free trade agreement,” it said.The commission said data localisation was by no means the only way to ensure law enforcement authorities to obtain legitimate access to electronic evidence. “In this respect, the EU is facing similar challenges as India. However, rather than forcing the localisation of personal data in the EU, it is currently preparing legislation that will allow the police and prosecutors to access electronic information, irrespective of whether it is stored in the EU or not,” the submission said. The commission suggested a multilateral arrangement allowing for mutual access to data, or a similar approach adopted by the US with the US CLOUD Act.