US mulls caps on H-1B visas: Recent development makes handling of trade relations with America immediate priority for govt
The action of the US is in response to India’s regime of data localisation which is not acceptable to firms from the United States
Justice Srikrishna Committee had emphasised on the need for data localisation emphasising that data of Indian citizens should be stored only in India
India presently has mandatory rules on data localisation in place for payments systems notified by the Reserve Bank of India
American firms have been pushing for a liberal e-commerce policy and ease of use of Indian private data
Ahead of US Secretary of State Mike Pompeo’s visit to India, the United States is believed to have informed India that it intends to cap H-1B visas for skilled workers from countries that compel foreign companies to store their data locally, a step that further widens the gap between the United States and India. The cap is expected to be about 10 percent to 15 percent and likely to adversely affect the big technology firms from India whose skilled workers avail these visas in large numbers.
Indian firms have been availing a major portion of about 70 percent of such visas out of approximately 85,000 or so issued by the United States each year. This adds to the on-going escalation of trade tensions between United States and India.
The action of the United States is in response to India’s regime of data localisation which is not acceptable to firms from the United States. Norms relating to collection, processing and storage of citizen’s data has been an issue of concern for India leading to norm-setting. India sees localisation of data as a key issue for law enforcement and access to data by law enforcement agencies in India in cases breach or threat to breach of data protection. Legal and regulatory disconnects across jurisdiction and technology challenges in access to such data stored overseas is seen as a major roadblock in the access and enforcement of data by law enforcement agencies.
The Justice Srikrishna Committee had emphasised on the need for data localisation emphasising that data of Indian citizens should be stored only in India in order to also protect such data from foreign surveillance, in addition to enabling easy access to such data to law enforcement agencies in India.
India presently has mandatory rules on data localisation in place for payments systems notified by the Reserve Bank of India (RBI). This is in addition to further expansion of data localisation norms already in the pipeline pursuant to the recommendations of the Justice Srikrishna Committee going forward.
The Personal Data Protection Bill and the draft e-commerce policy provide for further stringent norms of data localisation including restriction on transfer of such data to third parties, with or without consent of users. The scope of what is to be treated as ‘critical’ and ‘non critical’ data is a major point of debate from affected firms.
Apart from pushing up the costs of compliance for smaller players, bigger players in the e-commerce, social media and banking firms see this as unreasonable restriction in their business models space. These stakeholders have been pushing for even deeper consultations and research before putting the legal framework on data protection and data localisation into place.
Surprisingly, despite European Union’s GDPR providing for stringent data protection norms agnostic to sector or technology, the European Union has termed the emerging Indian regime on data localisation as unnecessary and potentially harmful to businesses as it would increase costs of compliance and create uncertainties leading to hampering businesses (by hindering data transfers) and affect investments in India.
Globally, other jurisdictions such as Canada and Australia have clear policies on data protection in the healthcare space. Even China has mandatory norms on data localisation, which has been perceived as a measure for the government to have access and control over such data. Even the United States has specific laws on the issue at the federal level in the health insurance and payments space. Many other jurisdictions such as Vietnam, New Zealand, Brazil, Korea and Japan have data protection frameworks in place.
It is clear that different compliance levels across jurisdictions makes it challenging for firms operating across jurisdictions to comply with differing regimes. However, India sees that till such time as a uniform global order on the issue emerges, it is imperative for governments to ensure the protection of data, prevent misuse of personal data and enable ease of access of such data by law enforcement agencies in India in cases of breach or to prevent misuse.
American firms have been pushing for a liberal e-commerce policy and ease of use of Indian private data, the twin issues of who owns such data and how revenue from the use of such data is shared remain key drivers of trade aspects of ownership and use of data.
Coming in the heels of withdrawal of duty-free imports of products from India into the United States and the subsequent recent imposition of higher tariffs on imports of some goods from United States, the recent actions of United States has made handling of trade relations between India and United States an immediate priority of India.
(The writer is founder & managing partner of Hammurabi & Solomon partners and an expert with the UNESCO Inclusive Policy Lab)
Firstpost Podcast: What is the Personal Data Protection Bill?
Why has the bill been withdrawn? Tune in
Firstpost Podcast| Explained: Digital personal data protection bill, 2022
The digital personal data protection bill frames out the rights and duties of the citizens on one hand and the data fiduciary's obligations to use collective data lawfully on the other, why do we need such a bill or an act? Tune in to find out
DNA Bill: To ensure justice is 'gene'-uine, govt must ensure privacy of individuals is respected as well
The proposed DNA Bill does not contain safeguards for eg, on why consent will be forced or assumed, exceptions to personal consent, and guidelines on sharing DNA data across borders, which are necessary to guide the exercise of this power whilst being respectful of individual liberty