Free flow of data has been a hallmark of the information revolution of the past two decades. Cross-border data flows have shrunk the world, allowing people across the globe to have the same user experience on the Internet.
But the era of free data flows seems to be coming to a close. Since 2015, a number of countries have put in place, or are thinking about, data localisation and on-soil restrictions. The digital business majors driving cross-border data flows are increasingly important in the global economy, and find themselves in regulatory crosshairs for issues like fake news, illegal content, etc.
India, too, has a number of laws on the anvil that speak of data localisation and on-soil presence requirements. It is useful to understand the motivations underpinning calls for data localisation and on-soil requirements in order to predict the final state these regulations will end up in.
II. Defining Data Localisation
There is no singular definition of data localisation. In effect, it is the opposite of 'digital globalisation', which refers to the free cross-border movement of data.
Localisation usually comprises requirements for the physical storage of data within a country's national boundaries. Sometimes, the term localisation is used more broadly to mean restrictions on cross-border data flows. Under this broader approach, data localisation may include all measures that "encumber the transfer of data" across national borders, such as: preventing information from being sent outside the country; requirement to obtain individual consent before making the transfer; storage of a local copy of the data; and imposing taxes on data exports.
Data localisation can also be demarcated by its effect – strict or conditional. The former includes requirements of local storage or processing of data; in extreme cases, a complete ban on transferring the data abroad. For conditional restrictions, the transfer of the data is made subject to the satisfaction of conditions. These conditions may be applicable to the persons undertaking the transfer (such as the need to obtain the individual's prior consent) or to the transferee country where the data is being sent.
For our purpose, we have used 'data localisation' to mean the mandatory requirements of in-country storage. That is to say, the data must be retained only on domestic servers, or (in a slightly less stringent version) data mirroring – which compels that at least one copy of the data is stored locally.1
Defining on-soil incorporation is much easier – it means that the regulated entity must be incorporated in-country, under relevant corporate laws. By definition, this makes such entities subject to local laws, governing foreign exchange, foreign investments, labour laws and (significantly) tax.
III. Data Localisation's History in India
The regulatory interest in storing digital data locally has gained steam in recent times, but there were always laws that required local storage.2
As far back as 2007, the terms of the unified telecom licence agreement required Indian telecom service providers not to transfer certain subscriber information outside India.3 As per India's 2013 companies law, Indian registered companies are to maintain their books of accounts for audit and inspection only in India.4 The Insurance Regulatory and Development Authority of India mandates that all original policyholder records should be maintained in India.5 In the public contracting realm, 2017 Guidelines for Government Departments on Contractual Terms Related to Cloud Services6 required all government departments to include localisation provisions in their contract while obtaining cloud services.7
These laws were, and still are, fairly controversy-free. This may be because they are fairly clear, limited and targeted applications of the principle of data localisation, with the intent behind them clear to those covered by the regulation. This is worth keeping in mind, as we look to more recent laws that attempt data localisation.
IV. Faster Pace Since 2018
Data localisation as an element of regulatory data protection has come to the fore globally in the past two years. The EU's General Data Protection Regulation ("GDPR") came into force in May 2018. While GDPR does not restrict data flow, it imposes 'adequacy' and other tests on transfer of data abroad.
In India, too, since early 2018, data localisation measures and proposals have sped up substantially. An obvious spur to regulation was the Indian Supreme Court's 2017 ruling that Indian citizens have a fundamental right to privacy.8 The court recognised informational privacy as a facet of the right to privacy, and ordered the government to put in place a data privacy regime.
A Draft Personal Data Protection Bill, 2018 ("Draft Bill")9 then proposed mandating the storage of 'one serving copy' of all personal data10 within India. This Bill also proposes to empower the central government to classify any personal data as 'critical personal data' to be processed exclusively in India.11
Localisation restrictions have also been placed on payment data. On April 6, 2018, the Reserve Bank of India ("RBI") issued a circular12 mandating all payment system providers to store payment data locally only in India.13
A draft e-Commerce Policy ("e-Commerce Policy")14 was released, purportedly addressing issues in the Indian e-commerce ecosystem. Interestingly, this e-Commerce Policy proposes data localisation measures as a means to keep data secure, derive economic benefits from it and create jobs within India. A proposed amendment to the Information Technology (Intermediary) Rules15 requires intermediaries having more than 50,000,000 users in India to be registered and incorporated under local laws. Most recently, in September 2019, the RBI has floated a discussion paper proposing to regulate payment aggregators and payment intermediaries.16 This, too, moots local incorporation requirements for all intermediaries, including pure-technology providers who facilitate payments to merchants.
It can be seen, then, that the pace of data localisation requirements has increased in the recent past, particularly in 2018 and 2019.
|Data Localisation – What's Changed and What's on the Horizon|
|Localisation Requirement||Targeting||What You Need To Do|
|In-country storage of all payment data.||All entities collecting, processing or storing payment data.||
|In-country storage of all critical data.||All entities collecting, processing or storing critical data.||
|Mandatory local incorporation.||Online intermeddlers with more than five million users.||
|Mandatory local incorporation.||E-commerce players of all sizes.||
|Mandatory local incorporation.||Payment intermediaries and aggregators.||
To be clear, a number of these laws are at a draft stage, and it is eminently possible that the final versions of these dilute the localisation requirements. That said, at this moment, India is poised to put in place a number of stringent localisation mandates.
V. What's Driving Data Localisation in India?
A number of rationales are given for data localisation. At times, these reasons are included in the policy document or rule itself. The RBI mandated payment data localisation and regulation of payment intermediaries so that it could have "unfettered supervisory access" to "ensure better monitoring", and protect consumer interests. In comparison, the e-Commerce Policy intends to promote domestic innovation and support Indian firms through localisation.
To be clear, the reasons driving localisation may not be mutually exclusive. A policy or proposed rule may be motivated by more than one rationale. It is still useful to examine these reasons, and try and understand the path down which regulation may move in the future.
i. Securing Individual Rights
Following the 2017 Supreme Court judgment, the Draft Bill aims to protect personal data as a facet of informational privacy. Its stated aim is to develop a robust regime for data protection, which balances individual interests and legitimate concerns of the state. In the expert committee report issued along with the Draft Bill,17 cited among the justifications for data localisation is the fact that data of Indian citizens is being exposed to foreign surveillance and attacks. If data is hosted abroad, an Indian citizen may not have an effective remedy against foreign-based services providers.
There has been a fair amount of pushback against the notion that data localisation necessarily leads to better privacy protections.18 Without an independent regulatory body, and with little history of data protection enforcement, data localisation by itself will not lead to increased privacy. Indeed, the number of data breaches involving Indian data assets (including, arguably, the biggest one ever19) speak to the contrary.
ii. National Security and Law Enforcement
Another argument made for localisation is enhancing enforcement capabilities. Access to certain sensitive information (like telecom numbers) can be a threat to national security, and certain kinds of data may be crucial to a nation's economic wellbeing (like payment data). National enforcement agencies need access to data for their investigation and enforcement actions. This need advocates local storage for such data, especially since (without localisation) it would prove difficult to get hold of such data without cooperation of other jurisdictions and regulators.
In the last decade, there have been several instances where the Indian government has struggled to get information from overseas entities.20 The Indian Information Technology Act, 2000 ("IT Act") has extra territorial applicability,21 but has proven to be largely ineffective.22 Indian authorities face challenges while using mutual legal assistance treaties ("MLAT") and letters rogatory (that are issued by courts) to access evidence in other jurisdictions, given the complexity of MLAT procedures and the need to satisfy legal requirements.
iii. Widening Tax Base
Another (comparatively understated) reason for localisation and on-soil requirements would be the resulting expansion of the tax base.
Indian tax laws have seen seismic changes in the past few years, with the indirect tax structure being completely revamped and a direct tax overhaul proposed. Tax laws have, even so, not kept pace with the global move to a data economy. Five of the top six companies globally by market value have a business model centered on data, and its derivatives.23 The question for the taxman is how to make these businesses subject to tax regulations. Absent a new theory of taxation that can account for cross-border profits earned on account of local data, a physical, local presence is the simplest way to ensure that such businesses are taxed.
To be clear, India already has regulations that tax digital transactions. In 2016, Indian tax regulations were amended to permit the imposition of an 'equalisation levy' on money paid to foreign entities24 providing specified services25 to Indian residents or non-residents having a permanent establishment in India.26 Further, in 2018, Indian income tax law was amended once again to incorporate the concept of 'significant economic presence'.27 A significant economic presence forms the basis for determining whether an overseas entity, having no fixed place of business in India, has a business connection with India. The business income of entities fulfilling these requirements is subject to tax in India. Hosting local servers in a country would make it possible to assert the existence of a "fixed place of business", attracting taxation provisions for a permanent establishment.
With this background, the government's prescription for local incorporation starts to make sense. If overseas digital business companies propose to offer services to Indian users, they will need to do so from an Indian operating company. Among other effects, the income they earn will be subject to Indian taxes in the first instance.
iv. Economic Protectionism
Last, but not least, data localisation and on-soil presence measures provide an economic advantage to local firms. This may be an unintentional side effect, but local firms are usually much better equipped to handle local/on-soil requirements.
This is not an unfamiliar regulatory stance for India. Indian foreign investment and exchange control regulations still restrict foreign money in certain sectors and activities. Sectors such as multi-brand retail are still not fully open to participation by foreign companies. Admittedly, the trend in the past two decades has been to open up India to more foreign investment and participation.
The Indian government remains keen on data localisation and on-soil requirements. Reasons such as law enforcement and data protection are relevant, but we must be conscious of economic imperatives too.
Unlike law enforcement and data privacy concerns where technical alternatives to data localisation or on-soil incorporation are (comparatively) easier to champion, there is little by way of 'technical' alternatives when the regulatory aim is higher tax receipts. (Of course, one can challenge the assumption that data localisation will actually result in higher tax collection or greater economic growth.)
It is also useful to identify different 'flavours' of data localisation with varying objectives. Mirroring data on a local server, adequacy measures for data stored overseas, data encryption, and limiting critical data transfer lend themselves to concerns of data privacy and law enforcement. On the other hand, measures such as on-soil incorporation mandates and storing data exclusively in India may suggest that the government is also looking to the (so-called) economic benefits of data localisation.
Which path Indian regulations take, and which 'flavour' of localisation wins out, remains to be seen.
1. Data localisation in India: Questioning the means and ends, published by Rishab Bailey and Smriti Parsheera on October 31, 2018. See: https://www.nipfp.org.in/media/medialibrary/2018/10/WP_2018_242.pdf.
2. Data Localization in a Globalised World, published by The Dialogue on November 18, 2018. See: http://thedialogue.co/dialogue/wp-content/uploads/2018/12/Data-Localisation-in-a-Globalised-World.pdf.
3. Amendments in Unified Access Service License Agreement, issued by the Ministry of Communications and IT, Government of India. As per Clause 1G(iv): "The Licensee shall not transfer the following to any person/place outside India: a. any accounting information relating to the subscriber (except for international roaming/billing) (Note: it does not restrict a statutorily required disclosure of financial nature); and b. user information (except about foreign subscribers using Indian Operator's network while roaming and IPLC subscribers)."
4. Rule 3(5) of the Companies (Accounts) Rules, 2014 mandates that: "the back-up of the books of account and other books and papers of the company maintained in electronic mode, including at a place outside India, if any, shall be kept in servers physically located in India on a periodic basis."
5. Regulation 18(ii) provides that: "In cases where Insurer outsources to the service providers outside India, the Insurers shall ensure that the terms of the agreement are in compliance with respective local regulations governing the outsourcing service provider and laws of the country concerned and such laws and regulations do not impede the regulatory access and oversight by the Authority. All original policyholder records continue to be maintained in India."
6. Issued by the Ministry of Electronics and Information Technology on March 31, 2017. See: https://meity.gov.in/writereaddata/files/Guidelines-Contractual_Terms.pdf.
7. Paragraph 2.1(d)(i) of the Guidelines provides that: "the location of the data (text, audio, video, or image files, and software (including machine images), that are provided to the cloud service provider for processing, storage or hosting by the cloud service provider services in connection with the Department's account and any computational results that a Department or any end user derives from the foregoing through their use of the cloud service provider's services) shall be as per the terms and conditions of the empanelment of the cloud service provider."
8. Justice K.S.Puttaswamy (Retd.) v. Union Of India And Ors. (2017) 10 SCC 1.
9. At this stage, it is not known when the final version of the Draft Bill will be released.
10. Section 3(29) of the Draft Bill defines 'personal data' to mean data about or relating to a natural person who is directly or indirectly identifiable, having regard to any characteristic, trait, attribute or any other feature of the identity of such natural person, or any combination of such features, or any combination of such features with any other information.
11. Section 40 of the Draft Bill.
13. Paragraph 2(i) of the RBI circular: "all system providers shall ensure that the entire data relating to payment systems operated by them are stored in a system only in India. This data should include the full end-to-end transaction details / information collected / carried / processed as part of the message / payment instruction. For the foreign leg of the transaction, if any, the data can also be stored in the foreign country, if required."
14. Draft National e-Commerce Policy, issued by the Department of Industrial Policy and Promotion, dated February 23, 2019. See: https://dipp.gov.in/sites/default/files/DraftNational_e-commerce_Policy_23February2019. pdf. On August 2, 2019, a similar draft policy to regulate e-Commerce entities was released by the Ministry of Consumer Affairs ("New Policy") (see: https://consumeraffairs.nic.in/sites/default/files/file-uploads/latestnews/Guidelines%20on%20e-Commerce.pdf). The New Policy mandates the incorporation of a local entity to conduct business in India.
15. Rule 3(7). These rules are still in draft stage.
16. RBI's Discussion Paper on Guidelines for Payment Gateways and Payment Aggregators, dated September 17, 2019, https://www.rbi.org.in/Scripts/PublicationReportDetails.aspx?UrlPage=&ID=943.
17. A Free and Fair Digital Economy Protecting Privacy, Empowering Indians, authored by the Committee of Experts under the Chairmanship of Justice B.N. Srikrishna. This committee was set up by the Indian government to formulate a draft privacy regulation. See: https://meity.gov.in/writereaddata/files/Data_Protection_Committee_Report.pdf.
18. Bailey and Parsheera, Ibid.
20. In 2010–2011, the Indian government required the makers of Blackberry, Research in Motion, to provide access to encrypted communications. These communications could not be intercepted and monitored by Indian security agencies on a real-time basis. Initially, Blackberry informed the government that the messages could not be decrypted, but later worked out a solution that enabled India's wireless carriers to address their lawful access requirements for its consumer messaging services, which include BlackBerry Messenger and BlackBerry Internet Service email. This solution was integrated with the networks of the telecom service providers that were offering access to Blackberry devices. See: https://www.thehindu.com/opinion/lead/The-battle-lines-over-encryption/article15457098.ece. More recently, it was reported that the messaging application Telegram refused to provide the Indian government information pertaining to terrorist organisations. See: https://www.medianama.com/2019/06/223-telegram-refused-to-hand-over-data-from-isis-channels-despite-repeated-requests-nia-tells-court/.
21. Section 75 of the IT Act.
22. India Law Journal, Cloud Computing in India: The current Legal regime and the main Issues and Challenges, February 2015. Available at: http://www.indialawjournal.com/volume7/issue1/article3.html.
24. This levy of 6% is to be withheld by the payer who makes the payment to a non-resident providing the specified services.
25. Under Section 164 (i) of the Finance Act, 2016, specified service means: "online advertisement, any provision for digital advertising space or any other facility or service for the purpose of online advertisement, or includes any other service as may be notified by the central government in this behalf."
26. Section 165 of the Income Tax Act, 1961.
27. Section 9 of the Income Tax Act, 1961. A "significant economic presence" means: (a) a transaction in respect of any goods, services or property carried out by a non-resident in India, including for the provision of download of data or software in India, where the aggregate payments during the previous year exceed a prescribed amount; or (b) systematic and continuous soliciting of business activities or engaging in an interaction with such number of prescribed users, in India through digital means. The transactions or activities shall constitute significant economic presence in India, whether or not: (i) the agreement for these matters is entered into in India; or (ii) the non-resident has a residence or place of business in India; or (iii) the non-resident renders services in India.
Originally published by The International Comparative Legal Guide to: Telecoms, Media & Internet 2020.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.