[Ed Note : The following post, the fifth post in the series of posts containing comments to the Report and Draft Bill, 2018 published on the MeitY website, has been authored and compiled by students of NALSAR University of Law. This post contains comments on data localisation framework put forth by the Committee.
The first post in the series can be found here.]
The Data Protection Bill under Section 41 mandates any data fiduciary to store personal data of all data principals in India. It also requires companies process and store all critical personal data only in servers or data centers located in India. This requirement is colloquially known as ‘Data Localisation.’ The report justifies data localisation on several grounds such as easy enforcement, increase in compliance, reduction of foreign surveillance, among others. The following paper will discuss briefly the reasons provided by the Report, it will then critically evaluate the claims, and arguments made by the Committee. It will conclude by arguing against a requirement for data localisation.