Assessing India’s obsession with data localisation

Covid-19 has spawned contact-tracing worldwide, triggering collection and processing of personal data. Privacy protections surrounding this are nascent, raising significant concerns about their permanence in our society. The Supreme Court’s landmark Puttaswamy judgement recognised privacy as intrinsic to personal liberty under Article 21.

Concurrently, it recognised that a legitimate interest, say, an epidemic, might restrain the right — provided the doctrines of ‘necessity’ and ‘proportionality’ are satisfied. In this context, a recent order from the Kerala High Court in Balu Gopalakrishnan assumes significance.

The Kerala government contracted US-based Sprinklr Inc for Covid-related medical data analysis. Petitioners assailed this contract for lacking adequate privacy safeguards, arguing that the jurisdictional choice of New York virtually renders Indian citizens defenceless against a breach.

The court’s order pervasively focuses on ‘data localisation’, that data concerning Indian residents must reside within India to secure jurisdiction of her courts. This sentiment has been echoed by Union ministers as well. We submit that data localisation is an anachronism, and severely inhibits privacy protections envisaged under the Constitution.

A comprehensive safeguard instead necessitates attaching jurisdiction through the residence of the ‘data subject’. In fact, Delhi’s obsession with data localisation stalls the resolution of another obsolescence ailing India’s privacy regime – the absence of a data-protection legislation.

Currently, statutory protections are entirely contained within the Information Technology Act, 2000 (IT Act). Data localisation advocates, and respondents in Gopalakrishnan argue that localisation attaches jurisdiction using Section 75(2) of the IT Act, which applies the Act extra-territorially (outside India) if a breach “involves a computer … located in India.”

Any reassurance from Section 75(2) is a facade. Consider this, Sprinklr decides to use a supercomputer in Ohio and copies data from Indian servers. The supercomputer at Ohio – containing data of Indian nationals – is breached. In such a case, Section 75(2) will not operate since the computer “located in India” was not breached, and absurdly, an Indian will be without remedy.

The IT Act was designed to facilitate e-commerce, not for data protection. Thus, virtually, the entirity of its penal provisions are predicated on tangible loss (see Sections 43A, 66, 66C, 66D, and 66E). Disclosure that someone is diabetic may not cause a “loss” but is still a privacy violation – yet, the IT Act provides no remedy here.

Resolving these absurdities requires a fundamental re-imagination of our privacy jurisprudence. Jurisdiction should attach to any entity collecting, processing, and/or storing personal data based on the residence of the data subject, not its location. This approach allows greater flexibility for processing while also comprehensively protecting privacy.

The spatial approach of data-localisation is incongruent to the very concept of privacy. This was first enunciated by the US Supreme Court (Scotus) in Katz v United States, where wiretapping without entering a person’s home was challenged as a violation of Fourth Amendment rights.

The Fourth Amendment is textually spatial; it protects against unreasonable search and seizure of someone’s “persons, houses, papers, and effects.” Drafted around 1791, its text could not possibly predict the intrusion that remote technologies can accomplish today.

Therefore, like data-localisation, it was written with spatial limitations and a literal interpretation renders it redundant today. Cognizant of this vulnerability, Scotus held that privacy attaches to people, not places, and therefore, wiretapping even absent a literal intrusion was unconstitutional.

The Indian Supreme Court, in Dist Registrar & Collector v Canara Bank, adopted Katz with approval, placing individuals at the locus of privacy. In Puttaswamy, Justice Chandrachud wrote, “Privacy is a concomitant of the right of the individual to exercise control over his or her personality.” Justice Nariman distilled an informational aspect of privacy, distinct from an individual’s physical body. As a principle seeking to preserve privacy, therefore, data localisation ignores its evolution and attempts to restrict it to an obsolete conception of tangibility and spatiality.

Restrictive view

To argue that Indian courts cannot pursue offenders abroad without data localisation is a restrictive view of jurisdiction. The Supreme Court in GVK Industries acknowledged Parliament’s power to legislate extra-territorially for the interests or welfare of inhabitants of India. Article 73 of the Constitution makes the Union executive power contemporaneous with Parliament’s legislative authority.

Therefore, where the welfare of Indians is concerned, legislative and executive powers of extend outside India too. The Constitution’s Fundamental Rights Charter is meant to check state authority. Consequently, it too, must operate abroad if the state pursues extra-territorial acts.

Concluding otherwise would confer absolute impunity to state action abroad, even when it infringes the rights, interests or welfare of the people of India. The Constitution provides for writs under Articles 32 and 226 for enforcing rights of Indians, indicating that the jurisdiction of the Supreme Court and high courts would extend extra-territorially in such cases.

There is precedent for this understanding of jurisdiction. Section 4 of the IPC provides that an Indian citizen may be charged with an IPC offence committed while she is abroad, even if it is not an offence in that country. Parliament has therefore attempted to regulate the conduct of Indian citizens abroad to accord with India’s standards of criminality. In such cases, Indian courts gain congruent jurisdiction already. For data protection, Europe’s General Data Protection Regulation statutorily attaches jurisdiction based on residence of “data-subject”, rejecting data-localisation. Under the Protective Principle, international law also permits extra-territorial jurisdiction of states for its own preservation or protecting its interests. Clearly, critical personal data of its residents is at the core of a state’s interests.

In Maneka Gandhi, the SC noted that courts should “expand the reach and ambit of Fundamental Rights, rather than to attenuate their meaning and content by a process of judicial construction.” By relying on constricted and overly simplistic anachronisms like data-localisation, policy makers are turning away from this guiding principle.

(Maniktala is an LLB student, Campus Law Center, University of Delhi; Khurana, is an LLM graduate from the UCLA School of Law, USA)