Pending legislation intended to protect the privacy of India’s citizens could set the stage for a sovereign cloud initiative and new opportunities in the Indian cloud ecosystem. Is India following the same trajectory as Europe toward data sovereignty? And what benefits could it bring to the country and its people? To learn more about the ripple effects passing the Personal Data Protection Bill (PDP) could have on the industry, read on.
The passage of the PDP Bill would change the data privacy dynamics within India by regulating the use of an individual’s data by the government and private companies. While not expected to come before the Indian Parliament for at least another three months when the winter session starts in November, the long-delayed and highly-debated legislation has larger potential implications.
First brought to the Parliament in 2019, the bill is now with the Joint Parliamentary Committee (JPC) for examination, where five extensions to submit its report on the bill have already been granted.
The most current draft has been criticized by many, including former Justice B.N. Srikrishna, who worked extensively in defining and writing the first draft of the PDP Bill. Justice Srikrishna has highlighted certain provisions in the amended PDP Bill 2019 that he says make it “dangerous” and can turn India into an “Orwellian State.”
The JPC, led by chairperson P.P. Chaudhary, has been tasked with identifying the problems and potential solutions and has held talks so far with Facebook, Twitter, Amazon, Google, Airtel, Jio, Ola, Uber, and Paytm among other major tech giants.
Definitions and points of contention
Among the points of concern are the definitions of the types of data and where each can be stored and processed. PDP Bill 2019 has segregated personal data into the following sub-categories:
- Sensitive Personal Data – (Chapter 1, Section 3, Sub-Section 36). Defined as any personal data which may reveal, be related to, or constitute financial data, health data, official identifier, sex life, sexual orientation, biometric data, genetic data, transgender status, intersex status, caste or tribe, religious or political belief or affiliation, and any other data categorized as Sensitive Personal Data under section 15
- Critical Personal Data – The government has been given broad discretion to define this type of data. While not final, it is currently stated as “personal data as may be notified by the Central Government to be the Critical Personal Data”
Unlike the original intent that mandated the storage of all personal data within India’s boundaries, the amended bill states that a copy of Sensitive Personal Data needs to be stored locally and can be sent abroad for data processing, under certain regulations.
The revised bill would require Critical Personal Data to be processed as well as stored within India and only sent outside India under certain conditions (outlined in Chapter VII, Section 34, Sub-Section 2 of the draft).
What’s the next logical step?
India’s current path draws a parallel with the European Union (EU), where data privacy across all the European member states is regulated under the General Data Protection Regulation (GDPR). If we follow the analogy closely, the next logical step for India would be to launch its sovereign cloud, in line with the new European sovereign cloud initiative named GAIA-X.
If India goes ahead with a sovereign cloud, it would unlock a new dimension, at least for the public sector, to explore and build on. With the strong government push under the ‘Make in India’ and ‘Digital India’ initiatives as well as a strong IT workforce, a sovereign cloud platform would not be a too distant dream.
Some of the benefits to India from a sovereign cloud initiative include:
- Creating a secure and compliant platform for the public sector: India’s sovereign cloud would provide its public sector a secure, reliable, and compliant platform. Government-backed applications like messaging app Sandes and Twitter’s doppelganger Koo can effectively utilize a sovereign cloud platform. It can further be augmented to develop new applications, especially those designed for the public sector
- Spurring cross-collaboration across various industries: Having a sovereign cloud platform would enable more vertical industries to securely onboard to the platform. With strong guidelines, anonymized and aggregated data sharing could occur, leading to a collaborative ecosystem of data analytics where citizens reap the benefits
- Delivering community benefits underpinned by healthcare: A sovereign cloud platform like GAIA-X could augment the healthcare sector’s digitization endeavor and pave a compliant way for Electronic Health Records (EHR) creation and their interoperability. Currently, the Indian government is issuing digital vaccination certificates with QR codes and has plans to issue vaccination certificates that will be valid across the globe. Compliance could be hassle-free if India builds a sovereign cloud platform
The only big challenge that India might face is not having a successful sovereign cloud initiative of this scale to benchmark against. Europe’s GAIA-X will be the closest counterpart for India’s sovereign cloud initiative and that also is in a nascent stage.
Ripple effects on the Indian cloud ecosystem
With some degree of data localization seemingly inevitable, companies have identified a good business opportunity and are racing to get the ‘first-mover’ advantage. Various firms have started the ball rolling – from construction giants like Adani and Hiranandani jumping into the data center business to cloud solution providers like Genesys launching new capabilities with localized data storage and data sovereignty as key factors for its contact center solution.
With the enactment of PDP as law, we expect the proliferation of data centers and an increased cloud hyperscaler presence in India. A new hyperscaler-backed sovereign cloud initiative also could be possible, along with an increased focus by cloud service providers on the legal framework to keep critical data within India’s geographic boundaries.
In the long run, we can see certain service offerings emerging to manage client data, which would be very similar to how the software and services market for GDPR has evolved over the years.
What do you think the next logical steps for the government will be after passing the Personal Data Protection Bill, and how will the law impact the industry? Please share your thoughts with us at [email protected] and [email protected].