DATA protection has always been a sensitive issue, especially in India where any attempt by the government to monitor it has generated stiff opposition.

The government’s recent move to push ahead with a Personal Data Protection bill has consequently drawn opposition from the industry, both domestic and international.

With the country emerging as a major market for international service providers, including Facebook, Twitter, Google, WhatsApp and even Uber and Airbnb, policy planners have to tread cautiously while introducing new laws.

India, for instance, is the biggest market for Facebook, with more than 270 million users (as against 210m in the US). WhatsApp has more than 200m users, while Twitter has above 30m.

With nearly half a billion internet users, sites such as Google are introducing innovative new services in several Indian languages as well. Importantly, all these service providers are emerging as powerful new vehicles having a wide following not just in the cities but even in semi-urban and rural areas.

Considering the emergence of India as a major player in the global net industry, the move by the government to introduce the Personal Data Protection bill has seen strong opposition from several international leaders.

The key players in the segment fear that the new law could result in their costs soaring by nearly 60 per cent. Importantly, it would in no way guarantee data security

Last week, for instance, many top international technology giants and global associations, dashed off a letter to Ravi Shankar Prasad, the minister for electronics and IT, seeking a scrapping of the “forced localisation” requirements in the bill.

“We believe that once India develops strong privacy protections through a data privacy law with legal conditions for cross-border transfers — such as globally recognised transfer mechanisms like standard contractual clause — then data do not need to be localised,” said the note.

“Data localisation requirements in the draft bill will have significant negative effects on the ability of companies to do business in India, do not serve to further privacy protection, and are likely to undermine the security of Indian citizens’ data.”

The letter was signed by several top global associations including the US Chamber of Commerce, the US-India Business Council, the Japan Electronics and Information Technology Industries Association, Digital Europe, and the Information Technology Industry Council,

The key players in the segment — including Facebook, Google, WhatsApp and Twitter — fear that the new law could result in their costs soaring by nearly 60 per cent. Importantly, it would in no way guarantee data security.

A committee headed by Justice B.N. Srikrishna had in July submitted its report on the data protection law. The report said that personal data would be processed “only for purposes that are clear, specific and lawful.”

All companies would also have to appoint ‘data protection officers,’ who will also act as point of contacts for individuals raising grievances. They would also have to ensure that at least one copy of personal data has to be stored in India.

But more importantly, it specified that ‘critical personal data’ — to be defined by the government — should be processed in a server or data centre located only in India. International companies have strong objection to this particular rule, which has been described as ‘restrictive.’

INTERESTINGLY, some leading players are whole-heartedly backing the new initiatives. Paytm, an e-commerce payment system and digital wallet company — in which China’s Alibaba group, Japan’s Softbank and America’s Berkshire Hathaway have substantial investments — is backing the government’s move.

“The moment data leaves the country, it falls under various jurisdictions, which in many cases, are beyond our control,” Kiran Vasireddy, COO, Paytm, told the media recently. “It is important to keep all the data here so that the laws of the land can be made applicable to them.”

Data protection and localisation has generated a lot of controversies in India. In April, for instance, the Reserve Bank of India (RBI) directed that payment companies operating in India would have to locate their servers in the country within six months.

Recently though, the finance ministry said that payment firms could store data in India as well as in other countries where the company has its storage facilities.

Analysts note that international firms are keen on having data processing and analytics located at just one place globally, instead of opening more such centres elsewhere, as the costs would soar.

Both the Indian government and the RBI have been delaying the introduction of the new rules. The deadline for receiving feedback on the Personal Data Protection bill has been extended quite often and has now been set up for October 10.

Similarly, the RBI has extended the deadline for payment companies to comply with the regulations — relating to the storage of data of Indian users within the country — to October 15.

Surprisingly, international players have got backing from the Telangana state government. Hyderabad, the south Indian state’s capital, has several international high-tech and internet-related companies operating out of it.

The state, which has attracted investments of nearly $12 billion in the IT sector over the last three years — and accounts for a significant portion of India’s infotech exports — is worried that some of the clauses in the bill will isolate Indian start-ups and hurt investments into the state.

KT Rama Rao, the IT minister of Telangana, says that the new rules would not only hurt the state’s start-up initiatives, but also dampen its business-friendly image.

Leading global firms including Facebook, Google, Microsoft and Apple have selected Hyderabad as their India base and have huge operations in the city. The state government is worried that any new legislation that could impact their operations would jolt the state’s eminence as an IT and high-tech hub.

Published in Dawn, The Business and Finance Weekly, October 8th, 2018