During his address at the inaugural of a special session on digital economy, Trump attacked both China and India. The attack was marked by glaringly absurd internal contradiction. While China was attacked on 5G for violation of security and intellectual property, especially in the light of Trump’s ban on the Chinese telecom giant Huawei, India was singled out for attack on its condition on data localization as if Indian cannot afford to have the same security and intellectual property concerns over the personal data of its citizens.

Immediately after boarding his flight on his way to Osaka, Trump tweeted that “India’s high tariffs are unacceptable”. And then came this attack on India at the inaugural of the special session on digital economy. Many were puzzled by this attack. Just three days before Trump’s attack at G20, on 26 June 2019, the Modi Government dropped the data localisation conditionality from the new e-commerce policy just a day before US Secretary of State Mike Pompeo’s visit to New Delhi to do groundwork for Modi-Trump summit on the sidelines of G20 at Osaka. Still, why Trump chose to attack India on data localisation as if India had not already conceded? Was it because of the subsequent confusion created by the Reserve Bank of India (RBI)?

To trace the sequence of events, on the eve of Pompeo’s visit, on 25 June evening, Commerce Minister Piyush Goyal had a meeting with Indian representatives of Jeff Bezos and Walmart/Flipkart along with more than a dozen other e-commerce honchos and the next day the government succumbed! India’s dropping of the data localisation conditionality was announced by no less a person than the Commerce Minister Piyush Goyal himself. But in an unusual gesture, the RBI, in open contradiction to Piyush Goyal’s announcement, reiterated on the same day its stand set out in its 6 April 2018 circular that, “The entire payment data shall be stored in systems located only in India.”But then the stark absurdity in RBI’s statement didn’t escape any knowledgeable observer. The central bank said that “there was no bar on processing of the data abroad but the end data should only be stored in India”! What kind of data protection is this?

It is impossible that RBI could have been unaware of the Commerce Minister’s decision. It is also equally impossible that the Commerce Minister would announce such a major decision without taking PMO and the Cabinet into confidence. Were there any last minute second thoughts on the part of the Modi Government on this issue? But there was no official denial of the stand announced by Piyush Goyal. Were they waiting to make the announcement in a separate statement after Modi-Trump meeting at Osaka so that Trump could claim at home that it was a huge victory for his aggressive diplomacy?

Or, India could have conceded without any formal agreement so as to make it appear as if it is its own voluntary choice. The picture would be clear after the summit concludes on 29 June and formal statements of the summit as well as bilateral meets are issued.

Whatever it is, India’s volte-face poses several unanswered questions. Considering that the data localisation was one of the central provisions of the Draft Personal Data Protection Bill 2018 which was tabled in the parliament during Modi’s first term, this new decision means the Draft Data Protection Bill is now a dead-letter and the Bill cannot be tabled anew in the parliament in its old form.

The data that the foreign payment firms and companies engaged in e-commerce in India were supposed to store domestically as per the 6 April 2018 RBI circular must include end-to-end transaction details and information related to payment or settlement transaction collected or processed as part of a payment. This may include information such as customer name, mobile number, email, Aadhaar number, PAN number; payment sensitive data such as customer and beneficiary account details; payment credentials such as OTP, PIN, Passwords, among other things. All these data are crucial for the maintenance of the privacy of individuals as well as the confidentiality of business operations of the firms. One wonders what would be left of data security even if India can have no control over such data.

Justice Srikrishna Committee, appointed to go into the issue of evolving a data protection legislation, in its report recommended setting up a data protection authority to ensure this and this would also be given a go-by. What data is left for such an authority to protect?

In a more fundamental sense, Section 44 in the Aadhaar Act—which says that the act would also apply to any offence or contravention committed outside India by any person involving any data from the Aadhaar data base—enabled filing of FIRs against any person misusing Aadhaar data and now if data can be stored and processed abroad and used, how the Indian agencies can curb its misuse? Would this section in the Aadhaar Act also be scrapped next?

Actually, it was a lobby within the RSS which originally started the campaign for data localisation. Swadeshi Jagran Manch and RSS leaders like Subramaniam Swamy and Govindacharya were openly campaigning in its favour. RSS Chief Mohan Bhagwat however maintained a studied silence. With this somersault by Modi, will Swadeshi Nationalism on data protection also meet its silent death? (IPA Service)