Following complaints by many Indian start-ups that data localisation requirements in the current draft of the personal data protection Bill are too “compliance intensive” and could hamper ease of doing business, the Ministry of Electronics and IT (MeitY) is looking at the possibility of diluting these norms, a senior government official has told The Indian Express.
Under the draft Bill, entities dealing with users’ personal data are mandated to store a copy of such data within India and the export of undefined “critical” personal data is prohibited. Personal data includes information – online or offline – that could be used to identify an individual and hence allows profiling that person.
“We have received hundreds of letters from start-ups raising concerns…we don’t want a Bill that has the potential to stifle innovation,” said the official. “Start-ups have indicated that a hard localisation mandate, as prescribed in the current draft, is not something they want and we are re-looking at the provision for start-ups.”
Flagging the need to balance privacy and innovation, the official said that the European Union’s General Data Protection Regulation (GDPR) is seen as too restrictive. “The general consensus is that GDPR requires heavy compliance and, as a result, has put impediments to innovation in the region. Unlike the EU, India has one of the most vibrant start-up ecosystems in the world and the government does not want to create unnecessary hurdles in their way,” the official said.
The draft Bill mandates that entities dealing with users’ personal data keep that within India. As start-ups deal with overseas entities, they say data localisation norms will hit work.
For one, start-ups use many third-party services from companies who may not have a physical presence in India and a hard localisation mandate impedes cross-border business. “As a start-up, you end up using online tools and software – from analytics to entire cloud-based servers – that may not be based in India. These services often need to access your core database. Besides this, many start-ups have customers outside of India and a localisation mandate could make it tricky for them to do business with international customers,” said a founder on the condition of anonymity.
This comes even as Indian start-ups find themselves in a steep funding downturn. According to a July report by PwC India, funding in Indian start-ups plunged by 40 per cent to $6.8 billion in the April-June quarter due to geopolitical tensions led by Russia’s invasion of Ukraine, decrease in tech stock valuations, and inflation.
Other than compliance issues, stakeholders from civil society have also raised privacy concerns. “…Leaving the Central Government with the power to determine what data will constitute critical personal data will certainly lead to abuse of power by the State through excessive and overbroad intrusions into privacy in the name of national security,” the Delhi-based Internet Freedom Foundation has said.
The data protection Bill is under consideration after a joint Parliamentary panel issued a version last year. The first draft was prepared in 2018 by a committee led by former judge Justice BN Srikrishna.
One key issue, an official said, is that when the first draft of the privacy bill was ready in 2018, the Information Technology Act, 2000, was the only piece of legislation that regulated online space. “But today, we have the IT Rules of 2021 and we have also floated a draft of the National Data Governance Framework which will handle non-personal data. Somewhere along the road, there will also be a comprehensive cybersecurity policy. These developments have allowed the government to deal only with safeguarding personal data under the privacy bill.”
Not just local start-ups, Big Tech like Google and Meta have also raised concerns on the proposed data localisation provisions. In May, Meta’s VP and deputy chief privacy officer, Rob Sherman, had said that India’s data localisation norms could make it “difficult” for the company to offer its services in the country. Last month, Google’s chief privacy officer Keith Enright said that data localisation norms should be as “narrowly tailored as possible.”