Last year, when conversations were taking place on the kind of data protection framework India should adopt following the landmark privacy judgement, one issue kept turning up over and over. It seemed strange that the Justice Srikrishna Committee was seriously considering data localisation when most evidence suggested it did not protect citizens from foreign governments or agents and was harmful to the economy. It was little surprise then that the draft Personal Data Protection Bill released last week revealed a strong data localisation mandate.
Looking at the provisions around this in the proposed law, I see a distinction between two types of data localisation: a hard data localisation and a soft one.
Hard data localisation can be seen in Sec. 40(2):
40(2) The Central Government shall notify categories of personal data as critical personal data that shall only be processed in a server or data centre located in India.
This is the stereotypical notion of data localisation, one that completely restricts the ability of an entity to transfer data outside a set territory.
Soft data localisation, on the other hand, can be seen in Sec. 40(1) of the Bill:
40(1) Every data fiduciary shall ensure the storage, on a server or data centre located in India, of at least one serving copy of personal data to which this Act applies.
While this is not a complete restriction on cross-border data transfers like the previous one, it does impose costs on a data fiduciary. These costs, which might take the form of setting up local servers or procuring the services of an entity that provides local storage, is a real and tangible one. When the inevitable criticisms of the data localisation mandate in the Bill make it to the headlines, I hope this softer variant also attracts equal attention.