Operations cost may go up for global firms under new data regime

economictimes.indiatimes.com:

The Digital Personal Data Protection (DPDP) Bill, which was passed in the Lok Sabha on Monday, provides for an easy cross-border movement and processing of personal data in all geographies, except those barred by the government from time to time. The bill, however, also stipulates that this provision shall not restrict any other laws which mandate and provide “for a higher degree of protection for or restriction” on the transfer of personal data outside India by a data fiduciary. The sectoral laws by various regulators will supersede the provisions of the DPDP Bill when it comes to mandates for data localisation, a senior government official told ET.

“Sectoral regulations will be over and above this. Some sectors may have stricter requirements for storing data within the country. If they mandate so, it has to be followed.

And even if it leads to higher costs, so be it. Keeping the citizen's data is the priority and if a company deals in such sensitive datasets, they have to ensure compliance,” another senior government official told ET. Among the significant sectoral regulators, the Reserve Bank of India has already mandated that banks and financial institutions operational in India must store the data of Indian citizens locally.

“So tomorrow if a National Health Mission or the Irdai (Insurance Regulatory and Development Authority of India) or Sebi (Securities and Exchange Board of India) mandates local storage, it has to be followed,” the official said. Experts, however, said that this could lead to business uncertainty among smaller firms, which rely on cost-effective data storage solutions to run businesses. “Overlapping rules exacerbate regulatory uncertainty, which deters businesses and economic growth.