Digital Personal Data Protection Bill 2022 and its impact on India’s booming data centre industry

As India accelerates to become a digital ecosystem, the demand for data centres is growing exponentially. The enterprises are actively stepping ahead to invest in these assets, owing to the rise in cloud adoption and data consumption. Their willingness to have data centres for data storage and deployment facilities has set a favourable climate to transform India into a global hub. This growth is further propelled by visionary government schemes and initiatives such as Digital India, Make in India, Atmanirbhar Bharat, and others. The country with the cheapest internet, enhanced connectivity and affordable smartphones presents a huge opportunity for data centres which are expected to receive an investment of around USD 200 billion per annum by 2025 as per Nasscom.

Increased data consumption means heightened need for protection of crucial data protection and it is encouraging that the Indian government has brought the Digital Personal Data Protection Bill 2022 (the “2022 Bill”). This was a much awaited step to protect user’s personal data from unauthorized use and make this digital ecosystem reliable, trustworthy and safe. The 2022 Bill also prioritises efficient data use with clarity and informed consent with an assurance of data safety. While the 2022 Bill follows the right objective of protecting personal data and clears the way for cross-border data transfer, it dilutes the data localisation norms that were mentioned in the Personal Data Protection Bill, 2019 which raise pertinent questions on protection of data generated in India but processed and/or stored in a foreign land, as well as also on national security and sovereignty. 

Also, the overriding provision of the 2022 Bill can lead to ambiguities and conflicts as it says that in any event of a clash between its provisions and any other existing law, the former will prevail. Previously, the Reserve Bank of India mandated that for data security, all data generated by Indian payment systems are required to be stored in India. Similarly, the Securities and Exchange Board of India also announced its intention to come up with guidelines that will mandate foreign entities to store data pertaining to India locally. Now, the overriding provision of the 2022 Bill will not only create more situations of conflicts but will also question the legal validity of sectoral regulations.

Strong data localisation policies of the government actually encouraged setting up of a robust data centre ecosystem in India as they mandated processing of data generated in the country within its boundaries. However, the 2022 Bill in its current shape says that the central government, after assessing necessary factors, can notify jurisdictions to which personal data can be transferred across the border with of course specified terms and conditions.

If it becomes an Act, it will make it possible for data fiduciaries and processors to share data outside the country without knowing how the transferred personal data will be processed outside India. This can pose serious security concerns and make it tough to ensure a similar level of security in the countries where data is being stored. For instance, in case of any data breach or unauthorized data sharing, it will become difficult for security agencies to trace the misconduct. Data localisation can help in enforcement of data protection, secure national interest, and protect citizen or financial data from foreign surveillance with better control. Several countries have provided for blanket ban on transfer of personal data and/or restriction on data transfers based on sectors including health, defence, government, telecommunication, financial etc. Thus, it is critical to ensure that personal data of citizens/residents of India is stored and processed within India, specifically data related to health, financials, biometrics, affiliations etc. 

Bringing more clarity for fixing responsibilities and accountability in the event of breach of personal data  

The 2022 Bill enlists 3 key stakeholders on which its provisions can be applied: i) data fiduciary—the entity which determines the purpose and means of data processing; ii) data processor—the entity which processes personal data on behalf of data fiduciary; and iii) data principal—to whom the personal data relates. It defines the term ‘processing’ as an automated operation performed on digital personal data through its lifecycle, like collection, recording, organisation, structuring, storage, adaption, alteration, etc. 

The term ‘storage’ is quite open-ended and may lead to the inclusion of property owners, lessors, licensors and colocation service providers (“Infrastructure Providers”) within the purview of data processors as they provide space and infrastructure support to data fiduciaries/data processors for their servers and equipment at the data centre building. The servers and equipment (wherein data, platforms and apps are stored) remains under the control of such data fiduciaries/data processors and not the Infrastructure Provider who are not even authorized to monitor/access/control any personal data stored in such servers/equipment. Hence, a clarification should be inserted that if an entity does not monitor or access the personal data in a server/equipment of a data fiduciary and merely provides the space and infrastructure support, then such entity shall not be considered as ‘processing’ the personal data. Moreover, it would be too onerous on Infrastructure Providers to comply with the obligations of data processors wherein they are merely providing the space and infrastructure support to the data fiduciary for their servers/equipment in the building. For eg.; the obligation on Infrastructure Provider to act as data processor and notify any personal data breach event to all the data principals and data protection board of India whereas such Infrastructure Provider neither have any access/details of the data principal nor involved in any processing of the personal data which makes it infeasible for them to notify affected users.

In a digitally connected world, the importance of data centres is huge. Data Centres are economic warehouses and provide the highly resilient infrastructure to ensure uninterrupted critical services to its customers with 100% uptime so that the business, operations, and systems of its customers including their equipment/servers (wherein data, platforms and apps are stored) function efficiently, effectively, and above all continuously. The companies and even government organisations are increasing their dependence to store important data in a secured environment of data centres. Hence, elimination of bottlenecks and ambiguities will boost confidence of investors and will support the growth of data centre industry which has been given the infrastructure status recently in the last Union budget 2022-23.

With great opportunities ahead, the 2022 Bill must act as an enabler that not only supports the growth of data centres but also as a building block of Digital India for a resilient economy.

Source :

[1] https://timesofindia.indiatimes.com/blogs/voices/digital-personal-data-protection-bill-2022-and-its-impact-on-indias-booming-data-centre-industry/

[2] https://tele.net.in/digital-personal-data-protection-bill-2022-effects-on-indias-booming-data-centre-sector/