Controversial rules preventing Indian companies from storing online data outside the country look set to become law after years of wrangling. After being withdrawn by the government earlier this year, a bill seems likely to surface at the forthcoming parliamentary budget session in February next year. But exactly what it will mean for companies and Indian citizens is still not clear.

The so-called Data Protection Bill would originally have required Indian companies to store personal data about citizens on servers physically located inside India. Firms would have been stopped from transferring critical data outside the country.

That was before India's Joint Parliamentary Committee (JPC) waded in with new recommendations for the Data Protection Authority (DPA). Under those, government agencies would have a blanket exemption from rules affecting other organizations. They would be free to access citizens' personal and anonymized data for any reason.

Unsurprisingly, such recommendations were met with industry backlash. In March this year, the US government complained that India's proposed data localization requirements would "serve as significant barriers to digital trade" between the two countries.

US authorities also insisted rules would "raise the cost for service suppliers that store and process personal information outside India" by forcing them to build local data centers in India. "The requirements could serve as market access barriers, especially for smaller firms," said a US government report.

Several American technology giants, including Google, Meta (Facebook), Amazon and Twitter, have made significant investments in the country and have a massive presence in India. In a recent interview with a prominent business daily in India, Brad Smith, Microsoft's president and vice chairman, described a rethink of the data protection bill as "an act of wisdom."

Domestic industry organizations, like the Internet and Mobile Association of India (IAMAI), have also protested about the stringent data localization requirements stipulated in the bill. They allege that the original bill, first tabled in 2019, was entirely altered by the JPC recommendations and now requires a new consultation.

More comprehensive legislation ahead

India's government, meanwhile, has said it plans for a revised and more "comprehensive legislation." What is still being determined is whether the data localization rules will be changed in this.

"There is definitely a need for a more comprehensive legal framework since the pace of technology change is much faster now," said Deepak Kumar, the founder analyst and chief research officer at BMNxxt Business and Market Advisory.

"Over the last few years, we have witnessed the emergence of social media, cloud computing and the Internet of Things (IoT) among other technology concepts," said Kumar. "Further, there is a digital pervasiveness which has highlighted the need to ensure that the citizens' data is not misused. The current legislation [Information Technology Act 2000] is redundant and is not equipped to address the evolving digital landscape."

Want to know more about 5G? Check out our dedicated 5G content channel here on Light Reading.

Over the next month, the Telecom Regulatory Authority of India (TRAI) is also expected to develop recommendations promoting localized data centers to prevent data from leaving India.

India's government has shown a desire to exercise control over the technology and Internet ecosystem in recent years. Earlier this year, for instance, it mandated that VPN (virtual private network) operators would need to collect and store user data for at least five years, sharing user information with the government as and when required.

In a sense, the new rules go against the very purpose of using VPNs. As a result, several players, including Nord, Surfshark and ExpressVPN, decided to remove servers from India to escape the new mandate. For anyone concerned about government access to and use of citizens' data, the latest moves on data localization are a troubling development.

Related posts:

— Gagandeep Kaur, contributing editor, special to Light Reading