India's data localisation rules to be a barrier to digital trade: US

India’s proposed data localisation requirements under which firms need to store data within India “will serve as significant barriers to digital trade” between the two countries, says the US government.

In the recent National Trade Estimate Report on Foreign Trade Barriers, the US says it believes such requirements will act as “market access barriers, especially for smaller firms”. If implemented, the rules will “raise the costs for service suppliers that store and process personal information outside India” by forcing them to construct unnecessary and redundant local data centres here.  

The report, prepared by the United States Trade Representative, was released by Katherine C Tai and covers various countries across the world including India.

The crux of America’s concern is India’s proposed Personal Data Protection Bill and the electronic commerce policy that impose broad-based localisation requirements for data.

Under the Bill, firms are expected to store sensitive and critical personal information related to Indians on servers located in India. In the case of critical personal information — a yet-to-be-defined category —  this cannot be transferred outside India under any circumstance.

The Bill has been through the scrutiny of a joint parliamentary committee and is expected to be promulgated later this year.    

The US report says that the Bill could impose “onerous conditions” on the cross-border transfer of sensitive personal information in that it calls for the data owner’s explicit consent.

“In the absence of any standalone trade secret legislation, there is little recourse for firms in the event of misappropriation of their sensitive information,” the report says.

This, in turn, will “undermine the ability of foreign firms to supply many services to Indian consumers on a cross-border basis and would not increase the protection of personal information”.

On the inclusion of non-personal data, the report referred to the Non-Personal Data Governance Framework, released by the Committee of Experts set up by the Ministry of Electronics and Information Technology in 2020. The United States Trade Representative said the framework will “impose burdensome requirements on domestic and foreign firms, including requests for mandatory data sharing, administrative obligations, affect copyrighted content, patent, and trade secret protection”.

It also raised a red flag on the proposed electronic commerce policy. It points out that, based on a reading of the early drafts, which contemplate broad-based data localisation requirements and restrictions on cross-border data flows, the US has strongly encouraged India to “reconsider” the draft policy. The US’s other concerns include the expanded ground for the forced transfer of business sensitive information, trade secret information, and preferential treatment for domestic digital products.

Global companies and homegrown players have been at loggerheads on the proposed data privacy laws. Global companies, especially from the US, have expressed doubts about the Data Protection Bill and the recommendations made by the joint parliamentary committee.

Some US companies have warned that a stringent position on the Bill could have a fall out on ongoing bilateral trade negotiations between the two countries for more access.

Others have pointed to reports by the Indian Council for Research on International Economic Relations and the Centre for International Trade, Economics & Environment that specify the socio-economic value of free data flow.

The Internet and Mobile Association of India has also said that stringent data localisation should not be included in the Bill and has demanded the removal of criminal penalties. However, big Indian firms such as Reliance and Paytm have supported data localisation as a key element in the security of the country.