The Impact of The Digital Personal Data Protection Bill In 2022 On India’s Thriving Data Centre Industry
By Lalit T Khanna, General Counsel, STT Global Data Centres India Private Limited
India is quickly developing into a digital ecosystem, driving up demand for data centres. Due to the surge in cloud use and data consumption, businesses are actively moving forward to invest in these assets. They have created a favourable environment for India to become a global hub by being willing to have data centres for data storage and processing.
Visionary government programmes and efforts like Digital India, make in India, Atmanirbhar Bharat, and others have further fuelled this growth. The nation with the lowest internet, improved connection, and reasonably priced smartphones give a significant opportunity for data centres, which, according to NASSCOM, are anticipated to attract investments totalling over USD 200 billion annually by 2025.
The Indian government’s introduction of the Digital Personal Data Protection Bill 2022 (the 2022 Bill) is encouraging because increased data usage necessitates increased data security. The digital ecosystem’s dependability, security, and safety will be enhanced as a result of this eagerly anticipated move, which will protect users; private information from unauthorized use. Another priority of the 2022 Bill is the effective use of data with transparency, informed consent, and a guarantee of data security.
The Personal Data Protection Bill of 2019 included information restriction prerequisites, which bring up significant issues about security of information produced in India however handled or potentially put away in a far-off country as well as public safety and sway. However, the 2022 Bill diluted these requirements while preserving the legitimate objective of protecting personal data and opening the door to cross-border data transfer.
The overriding clause of the 2022 Bill, which states that if there is a conflict between its provisions and any other legislation that is in effect, the former will take precedence, can also lead to misunderstandings and disagreements. For data security reasons, the Reserve Bank of India had previously mandated that all payment system data be kept in India.
Similar to this, the Securities and Exchange Board of India stated that it wanted to create rules that would require international businesses to keep local data about India. The overriding clause in the 2022 Bill will now not only result in additional disputes but also call into question the validity of sectoral regulations.
Strong data localization regulations actually supported the establishment of a strong data centre ecosystem in India because the government required that the processing of data generated within the country take place within its borders. However, the current version of the 2022 Bill stipulates that the central government may notify jurisdictions to which personal data can be transferred across the border, subject, of course, to specific terms and conditions, following an evaluation of the necessary factors.
Data processors and fiduciaries will be able to share personal data outside of India without knowing how it will be used, if it becomes law. As a result, it may be challenging to maintain the same level of security in the nations where the data is stored. In the event of a data breach or illegal data sharing, for instance, it will be difficult and may result in detail for law enforcement agencies to identify the wrongdoing.
The protection of national interests, citizen or financial data from foreign monitoring, and improved control over the enforcement of data protection can all benefit from data localisation. There are a number of nations that have enacted prohibitions on the transmission of personal data and/or restrictions on the transfer of data based on sectors like government, telecommunications, finance, health, and defence, or otherwise requirement of storing data within the country while permitting the processing outside the country with certain stipulations.
As a result, it is critical to ensure that personal information about Indian citizens and residents, particularly information about their health, finances, biometrics, affiliations, and so on, is stored and processed in India.
Clarifying obligations and responsibilities in the event of a data breach the 2022 Bill specifies three important parties to whom its provisions may be applied: Data fiduciary: the organisation that selects the data processing method and purpose. Data Processor: the company that handles personal data on behalf of the data fiduciary. Data Principal: the person to whom the personal information pertains. It defines processing as any automated action performed throughout the lifecycle of digital personal data, including data collection, recording, organization, storage, adaptation, modification etc.
Under the 2022 Bill, even property owners, lessors, licensors, and colocation service providers (collectively, Infrastructure Providers) that provides space and infrastructure support to the data fiduciaries/data processors for their servers and equipment at the data centre building could be considered data processors given the broad definition of storage.
The Infrastructure Provider continues to have no control over the servers and equipment (where data, platforms, and apps are stored), and they are not even permitted to monitor, access, or control any personal data held in such servers or equipment. As a result, it is essential to add a clarification stating that a company is not considered to be processing personal data if it merely provides space and infrastructure support but does not monitor or access personal data stored on a server or other piece of equipment of data fiduciary/data processor.
Furthermore, when infrastructure providers are only providing space and infrastructure support to data fiduciary / data processor for their servers and equipment in the building, it would be too much of a burden for Infrastructure Providers to uphold the duties of data processors.
For instance, despite the fact that Infrastructure Providers have no access to or knowledge of the Data Principals and are not involved in any processing of the Personal Data, they are required to act as Data Processors and report any personal data breach events to all Data Principals and the Data Protection Board of India, making it impossible for them to notify the affected Users.
In a world that is digitally connected, data centres have a huge impact. The highly resilient
infrastructure that is required to guarantee 100 per cent uptime for all critical services required by their clients is provided by data centres, which are inexpensive warehouses. This ensures that the clients’ businesses, operations, and systems—including their servers and equipment—function effectively, efficiently, and most importantly, continuously.
For the safe storage of sensitive data, businesses and even government agencies are increasingly relying on data centres. As a result, removing obstacles and ambiguities would boost investor confidence and encourage the growth of the data centre industry, which received infrastructure status in the most recent Union budget for 2022–23.
Expansion of the data centre industry will have a positive impact on India’s economy as it would not only result in an increase in foreign investments in India and technology advancement but also propel the growth of other related sectors/industries like renewable energy/green power, telecom sector, generator sets/ backup power solutions providers etc.