Interview: Gaurav Bhalla on data storage and data localization laws in India

Gaurav Bhalla, a technology and data protection lawyer at Ahlawat & Associates, discusses data sovereignty and compliance.

Data localization laws protect the personal information and security of data and promote national control over data.

Regulation 18 of SEBI (Stock Brokers & Sub-brokers) Regulations specifies that every stock broker shall preserve the specified books of account and other records for a minimum period of five years. From October 2023, SEBI recommends that certain data, especially “sensitive financial data”, be stored within Indian data centers to ensure data sovereignty and compliance with Data Protection Regulations. (SEBI’s 2023 Cloud Framework Guidelines).

We spoke to Gaurav Bhalla, a partner heading the Technology, Intellectual Property, Data Protection and Online gaming practice areas at Ahlawat & Associates to clarify the laws and regulation on storing data in India. 

If firms based in India are using an overseas data center, how can they achieve compliance with the recommendation to store within Indian data centers?

The SEBI (Securities and Exchange Board of India), in its notification dated March 6, 2023, has mandated that “in order to ensure that RE (Regulated Entity) and SEBI’s right to access RE’s data as well as SEBI’s rights of search and seizure are not affected by adoption of cloud services, the storage/ processing of data including logs and any other data/ information pertaining to RE in any form in cloud … should reside/be processed within the legal boundaries of India.”

The SEBI has additionally clarified that “for the investors whose country of incorporation is outside India, the REs shall keep the original data/ transactions/ logs, available and easily accessible in legible and usable form, within the legal boundaries of India.”

While the intent here by the SEBI is to ensure that the Indian transactional data stays within its access, in unsaid words, this results in a ban on usage of overseas data centers in respect of data involving Indian transactional data. This would ideally result in overseas data centers setting up their local Indian data centers to comply with the Indian legislative requirement.

Is the SEBI asking for clear definition of data ownership and storage?

No, there is no publicly available documentation to suggest that SEBI has sought any definition of data ownership or data storage.

Is the sensitive data recommendation more focused on retail customers? Is there a definition of “sensitive data”?

The SEBI circular does not specify the scope of the term “sensitive data” as such (and whether it refers to individuals or data possessed by companies as well).

If we refer to our current general data protection statute, it contains a definition of “sensitive personal data” which mentions that: “Sensitive personal data or information of a person means such personal information which consists of information relating to;

password;

  • financial information such as Bank account or credit card or debit card or other payment instrument details;
  • physical, physiological and mental health condition;
  • sexual orientation;
  • medical records and history;
  • Biometric information;
  • any detail relating to the above clauses as provided to body corporate for providing service;
  • any of the information received under above clauses by body corporate for processing, stored or processed under lawful contract or otherwise.”

Accordingly, it can be seen that the general definition of sensitive personal data pertains to individuals (and not to entities).

Is the reference to data protection perhaps a hint that if you have the data in a place that is EU equivalent you will be meeting the standards in India?

I did not come across any reference to EU or the GDPR in the SEBI circular or India’s current and prospective data protection statute. I think the data protection requirement is simply to ensure that the data is within the access of the Indian regulatory and investigation bodies as well as for promotion of India’s data centre industry (which has immense potential given the immense amount of data generated in India).

What are the Data Protection Regulations?

India has had a very concise data protection statute since 2011 which was termed as the “Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011”. This is also the current data protection statute in force in India.

However, the Indian Parliament (in 2023) has passed the Digital Personal Data Protection Act 2023. While this Act has been notified in the official Gazette, it is yet to be brought in force. Further, the Rules under this Act are yet to be released in the public domain (which will offer more clarity on the exact manner of compliance to be carried out with the various requirements under the Statute).

What is the extent to which SEBI enforces local data residency, or is this ever part of supervision by SEBI on an ongoing basis?

There is no information in my knowledge or in the public domain to suggest that SEBI has taken any steps towards enforcement of the local data residency requirement.

What extent does SEBI themselves engage with a bank (or their vendor) to navigate / discuss these types of issue?

While there is no information available in the public domain, I’m aware that SEBI entertains various banks with their queries as well as issues involving clarification as regards the guidelines published by the SEBI, as well as challenges associated with compliance with such guidelines. While SEBI doesn’t usually entertain vendors with their queries, the vendors can often ask their banks to forward their queries to SEBI.

A number of banks leverage India for support functions including compliance. Have there been any enforcement/other sanctions from this?

Various global banks do use personnel residing in India for support and back-end services owing to the relatively cheaper (yet trained) labor available in India. We must keep in mind that these support functions are being carried out in respect of customers and transactional data not pertaining to the Indian financial ecosystem. The SEBI is only concerned with the data localization of the transactional data pertaining to transactions happening in India (and accordingly the guidelines also only extend to such transactions).

Possibly, it is because of this that we haven’t witnessed any action being taken by SEBI in respect of support functions being carried out by entities/personnel residing in India (on behalf of foreign banks relating to foreign transactions).

Would challenges/enforcement risk banks pulling material teams out of India and into other countries instead?

It seems highly unlikely that banks would consider pulling out material teams owing to the fact that SEBI’s regulations are not something which would be an entirely unfeasible compliance for banks. It could cause inconvenience to them to have multiple data centers across the world but I’m sure that with the quality and number of data centers now available in India, this is only a one-time setup task (and not an ongoing headache for the banks).

Do you think these types of data residency requirements are a trend that will apply to more countries in the future?

With countries getting increasingly aware and sensitive about the potential use (and misuse) of data (of individuals as well as entities), they’re getting increasingly concerned about ways to minimize threat to their own economy (as well as to ensure that they reap the benefits of the data available domestically). Accordingly, while this might not be a prevalent trend as of now, there is no reason to suggest that data localization/residency will not be considered by various countries in the years to come.