DATA LOCALIZATION: PRIVACY CONCERNS AND THE INDIAN DATA POLICY SCENARIO

Written by: Vibhu Krishnatm Choubey[1]

“Law and Technology together produce a regulation of creativity that we haven’t seen it before”- Lawrence Lessig

Introduction: 

In the modern-day era, data has become our shadow. It forms a simulacrum to our existence in the world of cyberspace and data technology. Globalization and the advancement of society have ushered us in the digital age along with the simultaneous and incessant production of data. We have welcomed the digital change with open arms yet we remain unaware of the interminable consequences it entails. Data interacts with different individuals, social institutions, government agencies, and national entities and their respective regulatory and normative frameworks to give rise to a unique and non-uniform legal and directing principles around the world.

Data localization, alternatively referred to as data residency,  pushes the concept of data sovereignty over the collection of all data, being generated in a certain geographic area, collected and accumulated within the set territorial limits of the area. Thus, Data localization makes all the data, created as by-products of all digital transactions, communication, and interaction of individuals/residents with other parties, a resource that is increasingly being perceived worthy of being in control and regulation by a state entity. Data localization finds its relevance in almost all aspects of data control and is heavily interrelated with the ideas of data flow(inter and intra-territorial), development of ideas and laws regarding data protection, the formation of digital rights and the issue of data violations that happen all around the world, most of the times without “consent”. A country pushes for data localization for many reasons some of which can be highlighted as:

  • Establishment and the enforcement of rights of data subjects(i.e. producers of data)
  • Strengthening and reinforcing national securities and preventing foreign surveillance
  • Ease of access to data for purposes of legal enforcement and national interests
  • Maintaining the privacy of essential and crucial data.
  • Promoting economic growth by controlling and maintaining its autonomous data as a commodity

The aforementioned broadly encapsulate as to why a nation might adopt a data legal framework that prescribes a data localized model of working. At the same time it becomes important to throw shade on the disadvantages of adopting data localization laws:

  • The intrusion of the state that is uncontrolled and harms civil liberties
  • Impediment towards growing and having an open data flow thereby restricted economic growth
  • Unevenness in the applicability of data localization thereby leading to vulnerabilities in protecting other important data creation sectors such as healthcare data etc.

Thereby data localization is not perfect in offering privacy and security as a data-control approach. So what makes it relevant is how it is modeled and sculpted to be accommodated into a legal and legislative system that is distinct to each jurisdiction.

India And Its Current Data Policies And Legislative Structure In Advancing Data Privacy And Maintaining Security:

India initially embarked on the slow journey to the realization of the need for data protection and data privacy via legislative decision-making, by amending The Information Technology Act, 2000[2] (hereby referred to as IT act) in 2013 to include The Information Technology (Reasonable Security Practices And Sensitive Personal Data Or Information) Rules, 2011(SPDI Rules)[3] which identifies certain information/data as “sensitive” and thereby prescribes regulations concerning the management, disclosure, transfer, and access to government agencies to further legal enforcement of offenses and so on. Added as an amendment in the IT act, its weaknesses came to light more prominently due to its limited applicability to specific corporate entities, therefore, excluding the government and its related agencies from under its scope of applicability.

Another development that grew predominantly as a legislative attempt to accrete and establish a collected database of identity information via The Aadhaar (Targeted Delivery of Financial and other Subsidies, benefits and services) Act, 2016[4]. The data is collected in a central repository (Central Identities Data Repository{CIDR[5]}). The act established an overwatch, regulatory authority to enforce the legislation i.e Unique Identification Authority of India(UIDAI[6]) and this authority is burdened with the obligation of maintaining data security. The acts consequently also proscribe disclosure of information apart from the statutory permissible conditions. It is not incongruent with subsequent judicial proclamation where the right to privacy was held to be a fundamental right under the constitution[7].

The Telecom Sector had within itself embodied principles with regards to data protection. In granting a Unified License Agreements(ULA to a Telecom Service Provider(TSP’s), the procedural way of obtaining and handling information is elaborated by the Department of Telecommunications(DOT). They impose obligations and create fiduciary liability between the providers and the consumers, to safeguard their private information. The Telecommunication Authority Of India (TRAI) has promulgated various regulations to deal with the behavior of TSP’s with consumers and also for unsolicited commercial communications.

The financial sector has undoubtedly been the first, amongst all sectors, to recognize the importance of protecting financial data due to its sensitive information. The enactment of The Credit Information Companies(Regulations) Act, 2005[8] and subsequently The Credit Information Companies Regulation, 2006[9], prescribe the regulation and control of financial information by such Credit Information Companies(CIC’s) by a legal obligation imposed due to the aforementioned statutory provisions making them adhere to principles relating to privacy and security of the data. Control, disclosure, access, and maintaining secrecy have been legislatively regulated and monitored. RBI Circulars have also gathered prime attention when the main financial body laid down regulation demanding the localization of all system data generated in India within India[10], being cognizant that there is a heavy reliance by corporate/business entities on abroad institutions to store Indian Data. 

However, many sectors have been left unchecked. First, India has no control over the information collected and distributed in the healthcare sector. India has no sector-specific data localization rules that can bring specific entities involved in the processing and handling of data under regulation and administration to provide better security to the data subject from the violations of data that might occur via an intermediary or third parties. Furthermore, as a nation, India lacks the judicial and legislative framework to tackle the issue of data protection and related privacy concerns. No such framework exists to enforce and to monitor data contentions and its unauthorized transfer to other parties, which has been discussed in the latter half of the paper.

Situating “Data Localization” In India In The Backdrop Of Key Data Legislation And Policies: An Insight

India has adopted a basis that favors data localization, which becomes evident after a plain reading of its key policies and legislation that attempts to establish control of data and aim for data sovereignty.  The paper will discuss the concept and the use of localization in key legislative policies and bills, namely

  1. B.N Srikrishna Committee Report On Free And Fair Digital Economy(Data Protection Report)[11]
  2. The Draft National E-Commerce Policy, 2019[12]
  3. Personal Data Protection Bill[13]
  4. National Digital Communications Policy,2018[14]

 And via using such elaboration, emphasis on finding the relevance of data localization in such legislation/policy will be viewed from an objective lens to find their effectiveness in upholding and implementing data security and tackling data privacy concerns. At the same time, the current administrative and other appropriate infrastructure of the country’s will be correspondingly analyzed to see whether data localization approach is something that can be properly recognized in India as a way of pushing forth the idea of maintaining the highest level of data privacy and digital awareness while at the same time not becoming a hindrance in the cross-border data flow, economic development, and coordination between investigation and enforcement agencies, etc. 

A) B.N Srikrishna Committee Report on Data Protection: The committee, first recognized the effects of accepting data localization laws and that its consequences and ramifications that enforcing such laws will entail. Demarcation of three reasons why data localization has been pushed forward in the Indian scenario contains 

(1) Upholding privacy and maintaining the security of data subjects; 

(2) Defense against foreign surveillance;

(3) Increased accessibility of personal data by enforcement agencies and upholding national security.

While the committee was trying to effectively implement a regulatory and legislative structure that rested solely upon the geographical collection of data, it was also aware of the repercussions that resurface after adopting such a protectionist stance of data control, in multifarious aspects of economic growth and industrialization as well as its impact in globalization and furthering of fragmentation of the Internet into distinct data regulating sovereign zones each possessing its unique roles. Certain noticeable disadvantages that can be observed are – 

(1) Hindrances in the transfer of goods and services(especially cross-border data flow)

(2) Restricted Industrial growth(for example in Information technology and border process outsource(IT-BPO Centres) and Business process management(BPM) Industry as data localization will include various restrictions on the regulation of data, based upon local laws rather than cloud computing services and upon the free Internet of Things(IoT); 

(3) Impact on Product digitalization, service offerings and Industrialisation as data localization will render the creation of any hub for global new-age services, that does not comply with local data law as redundant in its functioning; 

(4) Spillover effect on Global in-house centers (GIC’s) and their working which are smaller centers of a large global countries companies who have the task of data processing produced globally and this is carried out by allocating smaller working centers all around the world, at different places, that have a perfunctory task of breaking up of global services alongside handling data, which will be drastically impacted by regional localization of data and its related laws;

(5) Effect on The Indian ecosystem of startups: Local companies have excessive reliance on cloud computing to provide for their data requirements and this will be negatively affected if a data residency is put in place with its related legal and administrative regulations. 

The committee, while forming its recommendations, elaborated on their recommendation of adoption of localized data law for India, by contesting three central arguments against data localizations:

  1. Arguments purported to state that data localization renders the data vulnerable to censorship of state and non-state entities were made by the committee on no mere rationale except denial to the same. The committee didn’t justify their stance when they stated  “merely because data is located in a country does not render it vulnerable to censorship”[15] thus subtly undermining the central issue which talks about the state actors and the non-state actor’s abuse of data due to increased state intervention and regulation.
  1. Regarding the freedom of data and how data localizations promote the state’s interests while making the data more vulnerable to restrictions, the committee stated that this was a completely contextual question and has to be dealt with as such. Reasonable regulation on access may exist on data that is of national importance.
  1. Arguments against data localization have also majorly voiced their views that it will hurt the digital economy of the country and will break up the globalized market leading to fragmentation and varying area-specific data regimes. The committee noted that storing data locally will not entail an impact on the digital economy but rather allow for more enforcement of substantive obligations imposed in the digital sphere[16].

The committee advanced the recommendation that, firstly, all personal data, applicable under law, is to have a live, stored copy in India[17]. Secondly, Certain categories of personal data that are central to the nation’s interest should be mandatorily stored in India with no transfer abroad[18]. Thirdly, The central government has vested powers to sanction cross border transfer flow of data where justified and determinations of data concerning the economic and strategic interest of the state[19]. 

B) The Draft National E-Commerce Policy,2019: The policy recognizes the lack of an enabling regulatory framework in India that can regulate data generated in the Country and thereby making the data accessible and retainable to the digital ecosystem and the consumer. 

The policy aims to streamline the protection of personal data and seeks to regulate the cross-border transfer of data. It lays down regulations with regards to the sharing of sensitive data and prohibiting the usage of it. The policy pushes for the idea of data localization as being imperative for receiving economic benefits by regulating and monetizing data within the country’s borders. It  insists on  

a) creation of a regulatory, enforcing techno-legal framework and formations of restrictions of cross- border data transfers; b) Adherence to prescribed guidelines with regards to sharing of sensitive data of an individual, by a business entity; c) Identification of Data that is exempted from cross border transfer restrictions

The approach taken by the policy framers is very protectionist in its stance and seeks to only push forth the idea of data localization for the utilization of the monetary value possessed by data generated in the digital sphere of commerce, by processing it and regulating its functioning.

The policymakers have been completely ignorant of the current factual scenario of digital infrastructure in India. There is a disregard of understanding that data protection and control can only be fair and justiciable if all the parties are aware of their rights and obligations, which is not something observed in India. In a country where the majority of the population finds itself embroiled in poverty, India’s active online platform users stand at 1.3 billion[20] and there is no significant public awareness about data protection, privacy, and security(elaborated further). The committee also tends to forget to address the legislative structural inadequacy that remains prevalent today, with regards to active data rights and privacy enforcement, and further evades the question of the maintenance of security of the data so localized. 

C) Personal Data Protection Bill,2019: The PDP is India’s first attempt(still pending legal sanction and application) to provide a statutory framework of rights, duties, and obligations held by all parties involved in the collection of personal data. Although there has been no direct mention of the phrase “data localization” but the whole bill is structured and its related provisions with regards to security, transparency, rights, responsibility, accountabilities, and obligations of parties involved in data collection(data principal, data fiduciary, etc.) on the base idea of data being localized within the territorial limits of India. It becomes glaringly apparent, after seeing the applicability of the PDP bill, that the whole idea of control, regulation, and protection of data has been done keeping in mind the India specific scenario of having personal data to be stored within the territorial boundaries of the country. It is implied in Section 33 of the bill[21] where the provision mandates that “sensitive personal data” shall be stored in India. 

The bill, floated in the lower house of the Indian parliament, is quite prescriptive and vests a large number of discretionary powers to make amendments to the act and is overall a substantive attempt to finalize the safety of personal data. However, the scope of the bill is too restrictive, to begin with. What comes under the defined scope of “personal data” should be broadened. Furthermore, the personal data accrues in a lot of places which have not been bought under the ambit of the act but just have been separately defined in the bill, such as health data and financial data, when there is a heavy requirement for sector-specific data protection laws, because of the key reason that the approach towards data localization cannot be generalized and uniformly applied.

D) National Digital Communications Policy,2018:  Though the policy doesn’t explicitly mention the terms “data localization”, the presence of data being collected and stored locally by clause 9 in its preamble[22] which establishes belief in the idea of “data sovereignty”(sovereign control over one own’s data) thereby indicating to data localization which shall be used to secure the economic benefit of the country at the same time give due importance to data privacy, rights and security of a citizen.

The communications policy remains very vague and ambiguous in its attempt to provide an idea of how a regulatory provision shall be put in place to deal with the issues arising out of data regulation and monitoring of an individual’s data privacy and security. Surprisingly provision 2.2 clause (f) of the policy[23] aims to make India a global hub for cloud computing and envisions the establishment of international data centers in India. This is in complete contrast to establishing digital sovereignty as any push towards data sovereignty is inter-related by localization of the said data within the territories of the country. Data localization/Data sovereignty thus implies a protected or a heavily supervised data policy regime prone to state intervention of a country and will entail complex interactions with various data controllers/data fiduciaries making the country a poor choice for obtaining the aforesaid objective of being a global hub for cloud computing or in the establishment of data sectors.

It is observed that the data policy regime is neither very comprehensive nor regulated by other statutory or judicial decisions thus leaving it open to external abuse. All the applicable statutes and amendments in the Indian scenario hence focuses heavily on data localization without adequately addressing other ancillary but equally quintessential conditions such as improvement of digital infrastructure, spreading awareness of digital rights, advanced complementary legislation that ease and work in tandem with data localization laws to enforce data rights and privacy concerns adequately, by providing additional and supportive structure to advance the punishment of offenses. Enforcement of data violations also needs to be looked at and developed first before completely focussing on localization and possessing data. Without a separate and elaborate discussion on the aforementioned grounds, there can be no guarantee that data localization, in itself as a policy aim, will provide a fully secure digital environment to an Individual.

Data Localization As Envisioned And Applied In Other Jurisdictions In Contrast To India:

  1. Russia: Data privacy in Russia was developed by the introduction of The Russian Federal Law “On Personal Data[24]” and consequently was amended by the “On Amendments To Certain Legislative Acts Of The Russian Federation For Clarification Of Personal Data Processing Information And Telecommunication Networks[25]”, thus firmly establishing the policy of data localization in Russian data protection laws. Russia follows a stringent practice of data localization and has elaborated data protection on all exhaustive data collectors and related intermediaries who work under the territorial boundaries in Russia and handle Russian data. Russian law mandates a formation of a national supervising authority having fully well-defined jurisdiction and authorization to take decisions concerning data laws i.e The Federal Service for Supervision of Communications, Information Technology, and Mass Media (the “Roskomnadzor”)[26]. Hence we observe that the state has used such data localization laws as an ultimate negotiation. Either firms or data collectors who want to access the Russian market have to comply or get closed off from the market. 
  1. Vietnam: Data protectionism is mainly done via data localization and all the regulatory legislation on data policy is based on the retention of data sovereignty. The Law On Cyber Information Security(LCIS)[27] and The Law On Cyber Security(LCS)[28] are the main pieces of legislation on data protection along with another 50 ancillary legal regulations issued in different sectors concerning different data collected over multifarious sectors. There exist three broad sectors under which laws have been further subdivided into the financial system, health and Pharma system, and telecommunication sector. All of these laws retain the primary essence of being localized in the Vietnamese region where there is a collection of data by a Vietnamese user.
  1. Columbia: The document on Basic Digital Services by the Columbian ministry of information heavily stating reliance on data localization as they reduce the risk to network security and data protection. Statutory Law 1266 of 2008[29] has majorly targeted and compiled data regulations for the financial and commercial sector to adhere to alongside Statutory Law 1581 of 2012[30] which establishes the control and regulation of personal data processing and its databases thus employing data localization to safeguard personal and sensitive data.
  1. Canada: As a country, Canada embraces data localization specifically in certain provinces such as British Columbia and Nova Scotia which prescribe the collection of all personal data held by any public body to be stored and accessed within the territorial limits of the country. Along with specific laws that require localization, data protection laws are upheld by Canada’s private sector privacy legislation, The Personal Information Protection and Electronic Documents Act (PIPEDA)[31] alongside The Digital Privacy Act which establishes data protection in the public/consumer sector.
  1. China: Data protection in china is stringently enforced and is separate for different sectors as well as included in different regulations and laws. Article 37 of The China Cybersecurity stipulates storage by “critical information infrastructure” operators of all the data that is produced in Mainland China and is enclosed within the aforementioned category[32].(such as public information/communication services, water resources data, public services, etc.) Apart from this, the Chinese have enforced localization of financial as well as healthcare data. Effective implementation, as well as the comprehensiveness of the plethora of legislative enactments, have been achieved primarily due to the totalitarian political regime and what suits national interests

Legislative Incompetence And Infrastructure Inadequacies: Issues That Demand Scrutiny Concerning Formulation Of Data Protection Policies In India:

India is at a critical juncture of realizing data protection. In doing so, it should consider the following issues:

  1. Whether the country has digital awareness and the need for governing data? If yes, Does the Country have sufficient infrastructure to successfully implement and enforce such Data Protection Laws?: In the Indian scenario, most of the people are unaware of their data rights and how their data might be misused and the Central government allocates only 0.64% of its total budget to IT and Technology[33]. This shows that not only is there a lack of capable infrastructure to implement comprehensive data protection laws but there is lack of central funding to improve digital and related infrastructure alongside improper central and national importance given to the idea of Data Protection
  1. Is there other ancillary legislative infrastructure that supports the regulatory framework of data localization against the bigger picture of data protection of the nation?: India has no set of data- policy legislations whose availability can help with the enforcement of data localization laws aimed at promoting data privacy and security. The main piece of legislation on data protection lies in the rules(SPDI) issued under sec 43 of The Information Technology Act, 2000 by the 2011 amendment[34] which only allows for the protection of certain sensitive data of body corporate and individual. India should build further legislative regulations for main sectors that generate essential data and should overall make its data protection law broad enough before straightaway forcing for data localization laws in its different sector policies without any legislative/judicial procedure to enforce data violations and address security concerns?

In contrast, U.S.A has a generalized privacy act i.e The Privacy Act, 1974[35] (dealing with data handling by the government agencies), The Gramm-Leach-Bliley(GLB) Act,1999[36] (legal regulation in banking and financial services by lending protection to financial nonpublic data), The Health Insurance Portability and Accountability Act (HIPAA),1996,[37] (dealing with the health sector by extending protection to health data and healthcare insurance), The Children’s Online Privacy Protection Act (COPPA), 2000[38],(dealing with the protection of data of children younger than 12 years of age). This shows that effective enforcement of broad sector/area-specific law-making in furtherance of Data protection and how a comprehensive, overarching data regulatory model can be made by patching up multiple data-centric legislations

  1. Is there an establishment and existence of a separate national supervisory authority that regulates and adjudicates upon issues arising out of data protection, its violation, and related data security concern?: India aims at the creation of a Data Protection Authority in the proposed legislative bill of PDP. It can be contended that for proper resolution and management of issues and concerns arising out of data protection, there should be a distinct national entity with suitable powers to decide on such issues. Countries such as Canada have Officer of the Privacy Commissioner[39] Russia has the Roskomnadzor  and there is also an Australian Information Commissioner in Australia. These all are global examples that urge the formation of a singular national entity dealing only with data security, data protection, and data violation.

Recommendations To A Better Indian Data Policy Regimes:

In light of the above, certain recommendations do come to mind to better the current regime of data protection in India. Some of them can be highlighted as follows:

  • A higher emphasis on spreading data awareness and making citizens realize the value of their data while at the same time developing and investing in digital infrastructure that can enforce the data protection regulations:-   India should devise campaigns regarding data awareness highlighting the importance of individual data. This can be done through central government awareness drives and nationally held workshops all across India. The Indian government should also increase the net allocation of its budget to Information Technology in a way that it allows for a better, structurally sound data protective framework alongside a protean digital structure that remodels to accommodate the need for data privacy and security in the current scenario
  • Introduction of generalized data-privacy legislation that works in tandem with other ancillary data policy legislation that should be present for each unique sector:-   India should bring forth a data privacy law that establishes itself at the center of all data processing disputes and concerns itself with aspects of data protection, privacy and their related violations by any party. Furthermore, there should be emphatic stress on the need of legislative data policy laws that govern each unique sector such as finance, health, public services, etc. according to their specific context keeping in mind the difference amongst varying sectors in the processing of data
  • Establishment of a national supervisory body that regulates and enforces all related data legislations and acts as an extra-judicial dispute mechanism to solve contentions arising from data violation and data breaches:-   India should collectively establish a national data regulatory bodies that have a tribunal to decide on issues arising out of data sharing and privacy and security breaches. They shall further set down an elaborate systematic procedure to be followed for enforcement of data rights by providing the first level adjudication mechanism before appealing to the judiciary.
  • Increase of Public Interest litigations in the domain of data protection and data safety laws coupled with increased judicial activism on behalf of the Indian Judiciary:-   India should start contesting and bring into light data concerns thus forcing the judiciary to craft judgments that demarcate the boundaries of data protection thereby expanding or restricting the obligations, duties, and rights imposed between data entities. The U.S.A shows a very proactive approach in law-making concerning data protection which can be seen in the latest Microsoft clash with the Department of Justice over the issue of accessibility to email contents that was stored in Ireland[40]. Even the Canadian Courts have taken a judicial stand when asked to decide over whether a certain delisting order can have the impact of affecting the whole of search results of Google’s search engine around the world[41].

The global data policy regime tells us that India needs to be more responsive and should start taking into hands the issue of data protection more actively by both the legislative and judicial means. At the same time, India being unique in its consumer base, it has to make sure that there exists a uniformity of awareness at every level of the society about data and its significant importance so that there can be proper development of data responsibility. Apart from changing the recondite situation about data rights and data violations in the country, a next step forward is the reinvigoration of the data policies and heavy stress on developing digital infrastructure made to fit and be ready for the ever-expanding digital space and also for penetrating the digital global economic market, so that India can possess a regulatory body which performs overwatch to make sure that the country can flourish under the data-driven economy without falling prey to data abuser while at the same time developing the abilities to enforce and penalize the abuse of data or any data violations. As a country, India can benefit from diversifying and broadening the scope of protection it gives to processing and usage of data from every sector. While at the same time, data localization may help India from security and privacy threats against data but it cannot be the sole working option that exists without any other broad privacy drive and user-centric data legislation.

Conclusion:

Data localization as a policy regime has its own set of advantages and disadvantages. India has to deal with many intractable issues to come up to the position of its global counterparts, in terms of data protection and privacy. To do so, a systematic legislative driven data policy is required coupled with the existence of a distinct data authority that provides regulation and offers versatile recommendations and rules for compliance for multifarious players in the digital market at every unique sector that has the potential of accumulating major data. Judicial activism is another tool that can be employed in this field to introduce specific legislation that targets data privacy and data security by way of creating judicial pronouncements and indicate the legislature to focus on more data policies.

The scenario in current India is very open to abuse and misconduct of data by any party. It needs to strengthen itself so that it can aim at a fruitful development of society through data utilization and maintain order in its network security in this digital age. Furthermore, India can extract the monetary value that data possesses, being one of the largest data producers around the world.  The aim should be to promote the personal data privacy of its citizens while at the same time it should be in a position to supervise and regulate the workings of the digital marketplace for the benefit of the country.

References

[1] NALSAR, University of Law

[2] The Information Technology Act, 2000, Act no. 21, Acts of Parliament, 2000 (India).

[3]  Ministry Of Communications And Information Technology (Department Of Information Technology), The Information Technology (Reasonable Security Practices And Sensitive Personal Data Or Information) Rules, 2011, https://www.meity.gov.in/writereaddata/files/GSR313E_10511%281%29_0.pdf.

[4]  The Aadhaar (Targeted Delivery of Financial and other Subsidies, benefits and services) Act, 2016, Act No. 16, Acts of Parliament, 2016 (India).

[5]  The Aadhaar (Targeted Delivery of Financial and other Subsidies, benefits and services) Act, 2016, Act No. 16, Acts of Parliament, 2016 (India).

[6] UNIQUE IDENTIFICATION AUTHORITY OF INDIA, (Aug 13, 2020, 10:11 AM), https://uidai.gov.in/.

[7] Justice K.S.Puttaswamy (Retired). vs Union of India And Ors., 2017, 10 SCC 1.

[8]  The Credit Information Companies(Regulations) Act, 2005, Act no.30, 2005 (India).

[9] Ministry Of Finance Department Of Economic Affairs (Banking Division),(2006), The Credit Information Companies Regulations, 2006, https://upload.indiacode.nic.in/showfile?actid=AC_CEN_2_11_00003_200530_1517807317795&type=regulation&filename=the_credit_information_companies_(regulation)_2005_-_regulations.pdf.

[10] Storage of Payments System Data, RESERVE BANK OF (Aug 08, 2020, 11:23 PM), https://www.rbi.org.in/Scripts/NotificationUser.aspx?Id=11244&Mode=0.

[11] Committee of Experts under the Chairmanship of Justice B.N. Srikrishna(2018), A Free and Fair Digital Economy Protecting Privacy, Empowering Indians, can be accessed here: https://www.prsindia.org/sites/default/files/bill_files/Committee%20Report%20on%20Draft%20Personal%20Data%20Protection%20Bill%2C%202018_0.pdf.

[12] The Draft National E-Commerce Policy, 2019,  DEPARTMENT OF INDUSTRIAL POLICY & PROMOTION, (Aug 10, 2020, 02:34 PM), https://dipp.gov.in/sites/default/files/DraftNational_e-commerce_Policy_23February2019.pdf.

[13] Ministry of Law and Justice, The Personal Data Protection Bill, 2019, PRS LEGISLATIVE RESEARCH, (Aug 11, 2020, 05:35 PM), https://www.prsindia.org/sites/default/files/bill_files/Personal%20Data%20Protection%20Bill%2C%202019.pdf.

[14] National Digital Communications Policy, 2018, DEPARTMENT OF TELECOMMUNICATIONS, MINISTRY OF COMMUNICATIONS, (Aug 8, 2020, 8:13 AM), https://dot.gov.in/sites/default/files/EnglishPolicy-NDCP.pdf.

[15]  Committee of Experts under the Chairmanship of Justice B.N. Srikrishna(2018), A Free and Fair Digital Economy Protecting Privacy, Empowering Indians,(Pg 95 of the report),can be accessed here: https://www.prsindia.org/sites/default/files/bill_files/Committee%20Report%20on%20Draft%20Personal%20Data%20Protection%20Bill%2C%202018_0.pdf.

[16] see supra note 14.

[17] Committee of Experts under the Chairmanship of Justice B.N. Srikrishna(2018), A Free and Fair Digital Economy Protecting Privacy, Empowering Indians,(Pg 96 of the report),can be accessed here: https://www.prsindia.org/sites/default/files/bill_files/Committee%20Report%20on%20Draft%20Personal%20Data%20Protection%20Bill%2C%202018_0.pdf.

[18] ibid.

[19]  ibid.

[20] Tishya Pandey, Data protection culture in India adequate?, THE NEW INDIAN EXPRESS, (Aug 12, 2020, 11:22 AM), https://www.newindianexpress.com/opinions/2020/aug/01/data-protection-culture-in-india-adequate-2177653.html#:~:text=In%202020%2C%20India%E2%80%99s%20active%20online%20platform%20users%20stands,India%20to%20address%20the%20lacunas%20that%20the%20.

[21]  Ministry of Law and Justice, The Personal Data Protection Bill, 2019, section 33, PRS LEGISLATIVE RESEARCH, (Aug 11, 2020, 05:35 PM), (Pg. 22), https://www.prsindia.org/sites/default/files/bill_files/Personal%20Data%20Protection%20Bill%2C%202019.pdf.

[22] The Draft National E-Commerce Policy, 2019,  DEPARTMENT OF INDUSTRIAL POLICY & PROMOTION, (Aug 10, 2020, 02:34 PM), (clause 9 at Pg. 2), https://dipp.gov.in/sites/default/files/DraftNational_e-commerce_Policy_23February2019.pdf.

[23] The Draft National E-Commerce Policy, 2019,  DEPARTMENT OF INDUSTRIAL POLICY & PROMOTION, (Aug 10, 2020, 02:34 PM), (Pg. 15), https://dipp.gov.in/sites/default/files/DraftNational_e-commerce_Policy_23February2019.pdf.

[24] Data Protected – Russia, LINKLATERS, (AUG 12, 2020, 04:24 PM), https://www.linklaters.com/en/insights/data-protected/data-protected—russia.

[25] ibid.

[26] ibid.

[27]  Data Protected – Vietnam, LINKLATERS, (Aug 12, 2020, 6:33 PM), https://www.linklaters.com/en/insights/data-protected/data-protected—vietnam.

[28] ibid.

[29]  Colombia, DLA PIPER INTELLIGENCE, (Aug 12, 2020, 7:17 PM), https://www.dlapiperdataprotection.com/index.html?t=law&c=CO.

[30]  ibid.

[31]  Data Protected – Canada, LINKLATERS, (Aug 12, 08: 01 PM), https://www.linklaters.com/en/insights/data-protected/data-protected—canada.

[32]  Yuxi Wei, Chinese Data Localization Law: Comprehensive but Ambiguous, UNIVERSITY OF WASHINGTON, (Aug 12, 2020, 08:42 PM), https://jsis.washington.edu/news/chinese-data-localization-law-comprehensive-ambiguous/.

[33] Expenditure of Government of India, UNION BUDGET, (Aug 12, 2020, 10:14 PM), (Pg. 3), https://www.indiabudget.gov.in/doc/Budget_at_Glance/bag6.pdf.

[34] See supra at n. 2.

[35] The Privacy Act,1974, 5 U.S.C. § 552a (1974).

[36]  The Gramm-Leach-Bliley(GLB) Act,1999, 15 U.S.C. §§ 6801-6809, §§ 6821-6827(1999).

[37]  The Health Insurance Portability and Accountability Act (HIPAA),1996, Pub.L. 104–191 (1996).

[38]  The Children’s Online Privacy Protection Act (COPPA), 2000, 15 U.S.C. §§ 6501–6506 (2000).

[39] See supra at n. 30.

[40] Microsoft v. Department of Justice, ELECTRONIC FRONTIER FOUNDATION, (Aug 13, 2020, 09: 12 AM), https://www.eff.org/cases/microsoft-v-department-justice#:~:text=Microsoft%20sued%20the%20Department%20of%20Justice%20%28DOJ%29%20in,users%20their%20data%20is%20being%20searched%20or%20seized.

[41] Eric Goldman, US Court Protects Google From Canadian Court’s Delisting Order–Google v. Equustek, TECHNOLOGY & MARKET LAW BLOG, (Aug 13, 2020, 10:11 AM), https://blog.ericgoldman.org/archives/2017/11/us-court-protects-google-from-canadian-courts-delisting-order-google-v-equustek.htm#:~:text=The%20Canadian%20Supreme%20Court%20affirmed%20the%20global%20delisting,United%20States%20and%20an%20order%20enjoining%20that%20enforcement.%E2%80%9D