Srikrishna panel report on data localisation: Why corporate India is upset

The Justice B N Srikrishna Committee’s proposals on data localisation have been akin to setting the cat among pigeons. The panel disallowed cross-border transfer of all critical personal data and mandated that a live copy of data pertaining to Indian citizens be kept on servers in the country by all companies, at all times. 

India Inc’s biggest concern is the cost factor associated with collecting and managing the user database. “India simply does not have the level of telecom infrastructure at the national scale to provide the kind of data centers that companies need in order to substitute their current arrangements for localised solutions,” says Rahul Matthan, partner, Trilegal. 

Legal experts feel that data localisation is easier said than enforced. It seems as of now businesses have to deal with multiple guidelines for storage of user data. In April this year, the Reserve Bank of India opted for ‘hard’ data localisation when it issued directions to all payment industry players that data pertaining to transactions by Indians should be only stored in the country. Legal experts say the word ‘only’ is the operative clause here as it prevents companies from storing even a copy of this data anywhere outside India.  The banking regulator said it is insisting on this to get “unfettered access” to data and monitor firms in the space. The six-month deadline to comply with the order ends next month. 

Meanwhile, the recently-released draft e-commerce policy recommendations propose data localisation but in broader strokes than those enunciated by the banking regulator or what is proposed by the Srikrishna panel. The draft policy suggests storing data of Indians, collected by social media firms, only in the country.

The draft policy offers certain exceptions to data localisation norms, such as in the case of cross-country business transactions, multinationals moving data across borders and for start-ups up to a turnover of Rs 500 million, but the lack of clear definitions has flummoxed experts and industry alike. 

“Either you will fall within a specifically regulated silo such as healthcare, e-commerce, and banking where there will be a sectoral regulatory requirement or you will be under the larger ambit of the data protection code,” says Delhi-based cyber lawyer Apar Gupta. “If you have sectoral guidelines, you will follow that or else one has to go by the larger Code,” he adds.

According to Gupta, this can spell trouble for cross-sector companies, such as a fintech health start-up that will have to abide by the RBI guidelines as well as the ministry of health guidelines.

There are also concerns about the impact of data localisation on the start-up ecosystem. Matthan feels mandatory data localisation will influence the ability of start-ups to develop proofs of concept with minimal investment.

The Srikrishna Committee has suggested a turnover-based threshold for kicking in data localisation. Matthan feels these dispensations are arbitrary and will mean different things for different types of businesses.