India’s proposed personal data rules unnerve business
Companies cry foul over plans to restrict cross-border transfers of information.
NEW DELHI — India’s business community is launching a last-ditch campaign to reverse tough new rules on storage of personal financial data, as New Delhi prepares to implement one of the world’s toughest internet regimes.
From next week, payment companies such as Visa International, MasterCard and PayPal will be barred from storing transaction records and related data outside India. The new rule, introduced by the Reserve Bank of India and set to come into force on Oct. 15, is designed to ensure regulatory access to that data.
The move comes as the government separately considers a draft law that would restrict cross-border data flows on the internet, an initiative that critics say would not only drive up costs for Indian businesses but damage exports and innovation.
“It is going to restrict us on what services we can use to build our products,” said Sachin Shenoy, chief technology officer of HealthfyMe, a Bangalore-based health-enhancing app startup. “Data localization is regressive.”
The Personal Data Protection bill was drawn up in July by India’s Ministry of Electronics and Information Technology with the aim of establishing a comprehensive online privacy and data rights protection regime.
Inspired by the European Union’s General Data Protection Regulation, which was implemented in May, the bill goes much further. Combined with the Indian central bank’s mandate on payment services, it would make India’s regulatory regime the worlds most restrictive for cross-border transfers of personal data.
Public consultation on the bill closed this week, and a decision on the final form of the legislation will be made by the parliament, probably after the general elections expected in April or May next year.
Payment companies, technology experts and startups have been writing to the government and the central bank to express concern about problems with the new rules, in hopes they will be softened or even reversed, in the case of the RBI’s requirements. At a minimum, the hope to postpone the deadline for compliance.
“The government is receiving a lot, I mean really a lot, of opinions from individuals and businesses,” said Sanjay Kumar Verma, additional secretary in charge of cyber diplomacy at the Ministry of External Affairs.
Particularly controversial are clauses that require at least one copy of every bit of personal data generated through internet use in India to be stored inside the country. The bill even proposes a complete ban on cross-border transfer of “sensitive” personal data generated in India.
The decision to crack down on data transfer has been prompted by a growing frustration over U.S. dominance of internet platforms and data.
Nandan Nilekani, chairman of Infosys and one of the country’s best-known technology experts, described the situation as “data colonization” in a public speech last year.
A report by the expert panel that drafted the data protection bill pointed out that eight of the top 10 most-accessed websites in India as of March this year were run by U.S. companies. It also reported that Google had refused 54% of the 3,843 user data disclosure requests by the Indian government for law enforcement and national security.
The report concluded that law enforcement and other exercises of sovereignty would be difficult without data localization.
A series of scandals involving U.S. social media companies has given Indian policymakers the justification to try to create a regime with the equivalent of nation-state borders in cyberspace.
Complaints that public opinion in the U.S. and the U.K. has been manipulated due to breaches on social media platforms such as Facebook have infuriated Indian political leaders.
Malicious WhatsApp fake-news posts, which led to mob lynchings this year in rural India, prompted another wave of condemnation. WhatsApp sparked another outcry when it refused a request to provide account information on large-scale chat groups so that law enforcement officials could monitor posts for content promoting violence.
However, industry experts warn that the government’s bill is unlikely to deliver the results policymakers want. Leonard Koschwitz, director of Allied for Startups, an international advocacy group for startups, said that data localization measures “will favor large players, for whom compliance — hiring extra lawyers and building extra data centers in each jurisdiction — is far easier than for small companies.” Giants such as Amazon, Google and Facebook will be the big beneficiaries, he suggested.
Arjun Pratap, founder and chief executive of Edge Networks, a Bangalore-based human resource management technology startup, warns that cloud services companies could choose not to operate in India, just to avoid the cost of compliance. This, in turn, could add costly administrative burdens for small and medium-size businesses. “Data localization might end up becoming harmful by forcing businesses to use suboptimal solutions just to remain compliant,” he told the Nikkei Asian Review.
Sachin Shenoy of HealthfyMe, said if his company is forced to store and process user data inside each country it serves, this will not only increase the cost, “but also slow down the pace of our innovation.”
Ashish Aggarwal, senior director and head of public policy at National Association of Software and Services Companies or NASCOM, the top industry body for Indian IT companies, has argued in Mint, an Indian daily, that the country’s $167 billion IT industry will be hit. It is “export-driven,” he warned. “Mandating a strict data localization regime could be perceived as a restrictive trade barrier and could spur retaliatory measures. The last thing India wants is to fuel a trend where the world starts moving toward data silos.”
With India heading for a general election in the spring of 2019, the issue has become a hot election topic. IT and Law Minister Prasad recently declared India should not be held in “data slavery” by U.S. companies, while Manish Tewari, a former Minister and senior leader of the opposition Indian National Congress party, lashed back with accusations that any attempt to create borders in cyberspace was futile and outdated.
But foreign internet companies should not underestimate lingering anti-colonial sentiment in India, said Rishikesha Krishnan, a professor at the Indian Institute of Management Bangalore and a member of the Data Protection bill drafting panel.
“There is a broad perception in the government that U.S. internet giants have not been very cooperative in law enforcement and security,” he told the Nikkei Asian Review. “There is a good chance that the government will go ahead with localization unless those U.S. companies show clear evidence of their willingness to cooperate with the Indian government,” Krishnan said.