Lalit T Khanna, General Counsel, STT Global Data Centres India Private Limited

The rapidly growing digital environment in India is increasing demand for data centres. Businesses are aggressively going forward with investments in these assets as a result of the growth in cloud use and data consumption. It has been made possible for India to become a significant global hub for data centres by their preparedness to host data centres for data storage and deployment facilities.

This expansion has been further fuelled by forward-thinking government initiatives like digital India, Make-in-India, Atmanirbhar Bharat, and others. The country presents a big opportunity for data centres, which NASSCOM predicts would draw over $200 billion in investments yearly by 2025.

The Digital Personal Data Protection Bill 2022 (the “2022 Bill”), which the Indian government has introduced, is encouraging since it would strengthen the protection of sensitive data due to growing data consumption. This much awaited change would protect consumers’ private information from unauthorised use and enhance the digital ecosystem’s dependability, security, and safety.

Another focus of the 2022 Bill is the effective use of data with assurances of data security, openness, and informed permission. The 2022 Bill while maintaining the right goal of protecting personal data and opening the door for cross-border data transfer, weakens the data localisation requirements covered in the Personal Data Protection Bill, 2019, that raise significant concerns about the protection of data generated in India but processed and/or stored outside of India.

The overriding provision of the 2022 Bill, which stipulates that in the event of a contradiction between its provisions and any other existing legislation, the former shall prevail, may also result in misunderstandings and conflicts.

In the past, the Reserve Bank of India (RBI) mandated that, for the sake of data security, all data generated by Indian payment systems be stored there. In a similar vein, the Securities and Exchange Board of India (SEBI) announced its intention to create rules mandating that foreign businesses store information on India locally. Now that sectoral norms are being challenged, the overriding clause in the 2022 Bill would not only cause more instances of conflict.

If it is passed into law, it will allow data fiduciaries and processors to share data outside of India without being aware of how the personal data will be used there. Because of this, maintaining the same level of security in the nations where data is being housed may be difficult. For instance, it will be challenging for security officials to find the wrongdoing in the event of any data breaches or unlawful data sharing.

Data localisation can assist with improved control over data protection enforcement, national interest protection, and citizen or financial data protection from foreign surveillance. If it is passed into law, it will allow data fiduciaries and processors to share data outside of India without being aware of how the personal data will be used there.

Because of this, maintaining the same level of security in the nations where data is being housed may be difficult. For instance, it will be challenging for regulators to find the wrongdoing in the event of any data breaches or unlawful data sharing. Data localisation can assist with improved control over data protection enforcement, national interest protection, and citizen or financial data protection from foreign monitoring.

Increasing clarity around fixing obligations and responsibility in the event of a compromise of personal data:

Three significant parties are listed under the 2022 Bill to whom its provisions can be applied: A data fiduciary is the organisation that chooses the reason for and the method for processing data. A data processor is the organisation that handles personal data on the data fiduciary’s behalf. The term “processing” is defined as an automated action carried out on digital personal data throughout its lifecycle, such as collection, recording, organisation, structuring, storage, adaptation, alteration, etc..

The definition of “storage” is quite broad, which could lead to the inclusion of property owners, lessors, licensors, and colocation service providers (collectively, “infrastructure providers”) as data processors since they give data fiduciaries/data processors space and infrastructure support for their servers and equipment at the data centre building. The infrastructure provider, who is not even permitted to monitor, access, or control any personal data held in such servers/equipment, continues to have no control over the servers and equipment (wherein data, platforms, and apps are stored).

Therefore, it is important to add a clarification that states that an entity is not considered to be “processing” personal data if it merely provides space and infrastructure support and does not monitor or access the personal data stored on a server or other piece of equipment owned by a data fiduciary.

Furthermore, it would be excessively burdensome for infrastructure providers to uphold the duties of data processors when they are only giving the space and infrastructure support to data fiduciary/data processor for their servers and equipment in the building.

For instance, the requirement that infrastructure providers act as data processors and report any personal data breach events to all data principals and the Data Protection Board of India even though they have no access to or knowledge of the Data Principals and are not involved in any processing of the Personal Data, making it impossible for them to notify the affected Users.

In a digitally connected society, data centres are incredibly important. Data centres are cost-effective storage facilities that provide the highly resilient infrastructure required to guarantee 100 per cent uptime for all critical services required by their clients.

This ensures that the clients’ businesses, operations, and systems—including their equipment and servers—perform effectively, efficiently, and most importantly continuously. Businesses and even government agencies are depending more on the secure surroundings of data centres to store sensitive information.

As a result, eliminating obstacles and uncertainties would boost investor confidence and promote the growth of the data centre industry, which was recently given the infrastructure status in the most recent Union budget 2022–23.

Given the enormous potential that lies ahead, the 2022 Bill must serve as an enabler that not only encourages the development of data centres in India but also as a building component of Digital India for a thriving economy.