As start-ups complain, Govt looks to ease data localisation norms

“We have received hundreds of letters from start-ups raising concerns…we don’t want a Bill that has the potential to stifle innovation,” said the official. “Start-ups have indicated that a hard localisation mandate, as prescribed in the current draft, is not something they want and we are re-looking at the provision for start-ups.”

Flagging the need to balance privacy and innovation, the official said that the European Union’s General Data Protection Regulation (GDPR) is seen as too restrictive. “The general consensus is that GDPR requires heavy compliance and, as a result, has put impediments to innovation in the region. Unlike the EU, India has one of the most vibrant start-up ecosystems in the world and the government does not want to create unnecessary hurdles in their way,” the official said.

For one, start-ups use many third-party services from companies who may not have a physical presence in India and a hard localisation mandate impedes cross-border business. “As a start-up, you end up using online tools and software – from analytics to entire cloud-based servers – that may not be based in India. These services often need to access your core database. Besides this, many start-ups have customers outside of India and a localisation mandate could make it tricky for them to do business with international customers,” said a founder on the condition of anonymity.

This comes even as Indian start-ups find themselves in a steep funding downturn. According to a July report by PwC India, funding in Indian start-ups plunged by 40 per cent to $6.8 billion in the April-June quarter due to geopolitical tensions led by Russia’s invasion of Ukraine, decrease in tech stock valuations, and inflation.

Other than compliance issues, stakeholders from civil society have also raised privacy concerns. “…Leaving the Central Government with the power to determine what data will constitute critical personal data will certainly lead to abuse of power by the State through excessive and overbroad intrusions into privacy in the name of national security,” the Delhi-based Internet Freedom Foundation has said.

The data protection Bill is under consideration after a joint Parliamentary panel issued a version last year. The first draft was prepared in 2018 by a committee led by former judge Justice BN Srikrishna.

One key issue, an official said, is that when the first draft of the privacy bill was ready in 2018, the Information Technology Act, 2000, was the only piece of legislation that regulated online space.  “But today, we have the IT Rules of 2021 and we have also floated a draft of the National Data Governance Framework which will handle non-personal data. Somewhere along the road, there will also be a comprehensive cybersecurity policy. These developments have allowed the government to deal only with safeguarding personal data under the privacy bill.”

Not just local start-ups, Big Tech like Google and Meta have also raised concerns on the proposed data localisation provisions. In May, Meta’s VP and deputy chief privacy officer, Rob Sherman, had said that India’s data localisation norms could make it “difficult” for the company to offer its services in the country. Last month, Google’s chief privacy officer Keith Enright said that data localisation norms should be as “narrowly tailored as possible.”