Cc: The Honorable Urjit Patel, Governor of the Reserve Bank of India; The Honorable Ajay Prakash Sawhney, Secretary of the Ministry of Electronics and Information Technology
Re: Data Localization Requirements in India’s Draft Privacy Law and Reserve Bank of India Circular on Electronic Payments
The Global Services Coalition (GSC) represents the services sector in Coalition member economies on issues of international trade and investment. We write to express our serious concerns in relation to the Indian Government’s apparent increasing use of mandatory data localization requirements, including the Reserve Bank of India’s April 6, 2018 Directive requiring that all data relating to electronic payment systems be stored locally in India, as well as the data localization requirements contained in the 2018 Personal Data Protection Bill (PDPB). The increasing reliance of all economic sectors on mobile technology, internet platforms and digitally enabled services has made cross-border data flows the lifeblood of global trade and investment. Data flows are the building blocks of technological advances such as cloud computing, the Internet of Things, Artificial Intelligence and the rapidly evolving services and technologies of the Fourth Industrial Revolution. GSC members acknowledge the challenges of rapidly increasing data flows, and recognise that it is essential to ensure appropriate data security and effective protection of personal data. However, the GSC believes that cross-border data flows need not be impeded, and that any exceptions should be limited to legitimate public policy objectives, be non-discriminatory in their operation, and comply with the General Agreement on Trade in Services (GATS) Articles XIV and XIV bis.
India is an important market for GSC member businesses. India also has major IT and computer companies which are significant actors in the global digital economy, with a strong interest in supporting its competitiveness and growth. Data localization requirements and other policies that restrict data flows are likely to constrain growth and innovation, and reduce the scope for leading Indian IT firms and their GSC counterparts to engage in business and investment contributing to promoting India’s competitiveness and growth. According to a 2014 report by the European Centre for International Political Economy (ECIPE), widespread data localization requirements in India could lead to a 2 percent decrease in foreign investment into India, cost the average Indian worker as much as 11 percent of their monthly salary, and result in welfare losses of as much as $14 billion.
There are also likely to be some specific, possibly unintended, effects. For instance, as the proposed rules would apply to all personal data processed within India, they could in fact cover personal data collected from residents of foreign jurisdictions and sent to India for processing. As many organisations outside India rely on Indian-based companies to process foreign personal data, the application of Indian privacy rules to the processing of such data in India would impose an added layer of regulation, discouraging the use of Indian-based service providers. The proposed rules need scrutiny, with such effects in mind.
Nor is there any evidence that data localization enhances data security. Indeed a 2018 Brookings Institution study concluded that data localization can weaken rather improve data security. The study found that data localization prevents businesses from adequately ensuring data resilience, data recovery, and business continuity by severing connections to global data centers and hence to the protection from cyber threats that global data centers are designed provide.
The Government of India need not rely on data localization requirements to address its data privacy and security concerns. For example, the APEC Cross-Border Privacy Rules (APEC CBPR) provide a useful voluntary set of privacy principles that can guide data protection practices and procedures. Major global markets with large digital trade flows such as Japan, Australia, and Singapore also have a wide range of legal processes to govern cross-border data transfers such as accountability, binding corporate rules, contractual clauses, and consent. GSC members appreciate the importance of the Indian market and its potential to become a vibrant digital hub. We therefore strongly urge you to recognize the costs and potential adverse impacts of data localization measures for all businesses, including Indian exporting firms, and to turn to alternative regulatory approaches that can ensure data privacy and security while facilitating cross-border data flows.
Sincerely,
Asociación de Industriales de Colombia (ANDI)
Australian Services Roundtable
Canadian Services Coalition
Coalition Mexican de Servicios (CMS)
Coalition of Services Industries
European Services Forum (ESF)
Federation of Service Industries (Korea)
Hong Kong Coalition of Services Industries
Japan Services Network
Business NZ
Taiwan Coalition of Services Industries
The City UK
A pdf of the letter, including footnotes, may be downloaded at this link.