Data Localisation in South-Asia

DCU Law and Tech regularly publishes blog posts discussing the topics Law and Technology written by a variety of authors.

Ashit Srivastava
Dharmashastra National Law University, Jabalpur

There is a subtle but consolidated growth for demand of data-localization among the developing nations; interestingly, South-Asian countries are taking the lead in this perspective. Ever since the 2016 Facebook-Cambridge Analytica scandal bubble burst, there was an invariable demand for a sound data protection regime across the globe, with Europe’s General Data Protection Regulation (GDPR) turning out to be a template model for data protection.

Interestingly, most of the South-Asian countries follow the model of GDPR for framing their own Data Protection Regime. India, too has borrowed several of its data protection concepts from GDPR. However, a deviant feature that epitomizes the Indian Personal Data Protection Bill, 2019 is the call for data localization. Interestingly, the first draft of the Personal Data Protection Bill, 2018 made under the chairpersonship of Sri B.N. Srikrishna committee batted for a blanket data localization, meaning every form of data pertaining to the Indian citizen needs to be stored within the boundary of India. This particular committee’s suggestion was met with a great amount of furor by the social media intermediary and industry expert. The whole concept of data localization has been seen annexed with the concept of data sovereignty or data-nationalism. Mostly because data is the new oil for running an automated industry, it is believed that a firmer control over data in the form of data localization would help ensure security to data and create accountability onto the social media and search engine websites, which for decades have avoided following native laws.

Coming back to the legal aspect of it, the second draft of the India Personal Data Protection Bill, 2019 does not provide for a blanket data localization; rather, it provides for categories of data that can be processed in India and outside India. Under these categories, sensitive personal data needs to be stored in India, but such sensitive personal data can be transferred outside India provided the conditions given under section 34 (1) are fulfilled. Further, the critical personal data can be processed only in India [Section 33 (2)]; however, in few circumstances, the Critical Personal Data can be transferred outside India [refer to section 34 (2)]. Interestingly, in the new draft the critical personal data would be notified by the Central Government, whereas, in the earlier draft the Data Protection Authority had a role to play in it.

The Pakistan model of data localization is some-what similar to the model of Indian Data localization. Just like the Indian model, there is a segregation of data into sensitive and critical personal data. However, the other point under the Pakistan Data Localization is the critical personal data cannot be transferred outside the country (refer to section 14.1 of Pakistan Personal Data Protection Bill, 2020, however under section 14.2, certain categories of personal data may be exempted from the application of section 14.1 but certainly those categories of data cannot be styled as critical personal data). However, it is interesting to notice that the Pakistan draft of the Personal Data Protection Bill, 2020, is similar to that of the GDPR model; the only point of deviations comes in the form of data localization, which is similar to the Indian model.

Further, the Bangladesh legislators are also contemplating creating a comprehensive document in the discipline of data protection and providing data localization for the data created locally. At present, Bangladesh has Digital Security Act, 2018 (DSA). Still, DSA cannot be regarded as a comprehensive document dealing with data-protection matters, the only handful of sections under DSA deal with data protection matters. However, sectoral laws are providing for data protection and localization provisions, but there is no central enactment on this matter. The intention of the Bangladeshi legislator seems quite clear pertaining to data localization.

Further, looking towards the south, the Sri Lanka Data Protection Bill, 2021, styled as Regulating of Processing of Personal Data 2021, still awaits to be approved by the Cabinet. However, the Sri Lanka Data Protection Bill (DPB) too has been influenced by the GDPR, in fact, many of the terminologies utilized by the GDPR are utilized in the Sri Lankan DPB. Yet, there is a clear deviation of the Sri Lankan DPB from the South-Asian trend of data localization. The provision of data localization is limited only to data being processed by the Governmental authorities. Even that can be transferred outside after Data Protection Authority in consultation with the Data Controller and the Regulatory authorities allow for it (refer to section 27 of the bill). The Sri Lankan DPB has emphasized the adequacy mechanism, which is quite similar to the European GDPR model.

There surely is a commonality running among the South-Asian countries, transcending beyond their political boundaries. The demand for data localization seems like a common war cry of the South-Asian countries against non-native corporations. Especially after the 2016 U.S. election incident & Edward Snowden incident, there is a huge amount of distrust that several countries have against the multinational social media intermediary & against foreign governments and their tools of persuasion.

Data-localization seems like a panacea to all the distrust issues raised by recent trends, the other point which the Data-localization seems to soothe is the jurisdictional question. As most of the corporations are western corporations, there are hard times for native Governments to apply their local laws onto them. Especially knowing that these Corporations mostly choose to follow their own set of policies, which are mostly reflective of their own countries ethos. These sets of policies always tend to lead to an ideological conflict with the local laws. The idea of policies which any foreign social media intermediary would be promoting, surely will not be in consonance with the policies practiced in any of the South-Asian countries, which is bound to produce conflict. Therefore, in order to bring more subjugation against this ideological difference, data-localization seems like a useful tool. Therefore, in simpler terms the idea of data-localization can be regarded as a leveraging tool in the hands of South-Asian countries to bring more accountability and consonance with the local laws.

However, there are certain drawbacks which data-localization tends to generate and something on which an eye needs to kept. A full-fledged push for data-localization means an impromptu pressure on the local infrastructure, the viable question to be asked is, are the local condition conducive enough to handle huge amount of inflow of data? If yes, what sort of climatic impact it would have on the native land, knowing that data-centers tend to produce huge amount of heat, which on the other hand would produce global warming. For keeping the data-centers cool, cooling systems would be required, which again would call for huge demand of electricity. The more the electricity, the more the carbon foot print.
A geo-strategic move towards lessening the carbon emission from the Data-Centers has been to locate them in naturally cool places or using of renewable energy to meet the electricity demand. Therefore, it is of much necessity that the countries pushing for data-localization should also push for more greener electricity, India currently is at 3rd place in the world for producing renewable energy. But this has to be in consonance with the electricity demand of the upcoming data centers, globally electricity consumption of data-centers have amounted to 3 percent of the world electricity generated (

The other aspect that needs to be analyzed is the ownership of the data centers; there is no doubt that push for data localization will also push the multi-billion-dollar corporations to establish their data centers in the native land. However, the smaller social media intermediary more probably will not be in a state to be able to sustain their services. In all probability, the small corporations will go for rented data centers. In the area of social media websites and search engine websites, everything is demand on the flow of data. If the flow of data is limited, the services are limited. Thus, the small corporations would be dependent on the data-centers rented out by large corporations, which could have impact on their independency.

Therefore, a more inclusive distribution of data-centers space needs to be made to ensure no service is excluded due to data localization.

More Blog Posts

Artificial Intelligence and Banking Governance
Valeriana Forlenza
University of Pisa, Italy
On June 14, 2023 the European Parliament adopted its version of the draft Artificial Intelligence Act («AI Act»). While the final…
How can AI improve corporate criminal compliance?
Nicolò Di Paco
University of Pisa
At present, the difficulties that companies have to face in fulfilling self-regulatory tasks are increasing. First of all, corporations nowadays deal…