'Storing digital data within India likely to create market entry barrier'
- Country:
- India
A government proposal to mandate storage of a certain set of digital data within India is likely to create a market entry barrier and has potential to isolate the country in Internet space, Rajya Sabha MP Rajeev Chandrasekhar said Monday.
"The draft bill requires that certain categories of data be stored in data centers located within India. These categories will be notified by the Data Protection Authority later. This requirement is likely to create a huge barrier to market entry given the enormous costs," Chandrasekhar said in a letter to Law and IT Minister Ravi Shankar Prasad.
The Rajya Sabha MP said that India at present does not have the physical infrastructure to host large-scale data center.
"In addition to localization, the bill requires contractual and inter-group cross-border transfer arrangements be approved by the Authority. This will significantly harm the ease of doing business given the dynamic business environment corporations function in today," Chandrasekhar said.
The Ministry of Electronics and IT (Meity) has floated draft Personal Data Protection Bill, 2018 on the recommendation by a panel chaired by former Supreme Court justice B N Srikrishna.
The panel was set up under the Meity after the apex court judge ruled that the right to privacy is a fundamental right.
The government in its draft framework for data protection has proposed that entity that processes personal information connected over internet shall ensure the storage of that data, on a server or data center located in India.
According to the draft proposal, the central government shall notify categories of personal data as critical personal data that shall only be processed in a server or data center located in India.
"The restriction on cross-border data transfers has the potential to create a case for isolating the Indian market. It is highly likely that countries such as the United States, under the (Donald) Trump administration, will respond kindly, in line with its terse stance on free trade," Chandrasekhar said.
He said that the restrictions appear to be motivated only to facilitate law enforcement and Security agencies access to data and do not lead to any meaningful bolstering of privacy rights while it can be argued that the impact of such restrictions is also far-reaching and disproportionate to the benefits.
Early this month, Google CEO Sundar Pichai too had written to Prasad saying that the "Free flow of data across borders - with a focus on user privacy and security - will encourage startups to innovate and expand globally and encourage global companies to contribute to India's digital economy."
Chandrasekhar also criticised proposal of creating Data Protection Authority saying that as envisioned in the draft bill the authority is likely to be the most powerful regulator in India till date.
"The Authority has sweeping rulemaking powers which make the whole framework subject to the whims of the man on the wheel...The present proposals, therefore, are at the peril of establishing a vague and capricious regulatory regime," he said.
Industry body IAMAI, which represents Google, Facebook, Mobikwik, Paytm, Policy Bazaar etc raised concerns over the definition of data fiduciary that covers any agency dealing with personal data and the multiple consent mechanism suggested under the proposed Bill.
"If each agency is considered as a data fiduciary and has to take consent for using data, there will be numerous consent requirements that will inundate consumers with requests and significantly slow-down functioning of the present seamless digital services," IAMAI said.
The Internet and Mobile Association of India (IAMAI) said that with various stakeholders involved in the handling of data it becomes difficult to identify on whom the liability would lie in case of any lapse in adhering to the bill.
IAMAI said that its members also raised concerns over the penalty mechanisms suggested in the Bill as they suggest flat rates of penalties based on revenues of the fiduciary and do not consider the severity of damage.