India’s government is said to be considering a sweeping new data privacy bill similar to the General Data Protection Regulation in Europe that would force major internet companies such as Google LLC and Facebook Inc. to store data on its 1 billion-odd citizens at facilities within the country.

The bill, which is said to have been drafted by a committee headed up by former Infosys Ltd. founder Kris Gopalakrishnan, mandates data localization for investigative and security reasons, Reuters reported. It also proposes tough penalties for any company that flouts the rules on how data is handled.

The draft bill comes at a time when India’s political leaders are seemingly waking up to the advantages that a data-driven economy can provide. Earlier this year, the country’s government drafted a new National Digital Communications Policy that established “data sovereignty” as a critical goal for the country. That policy calls for India’s government to establish by 2022 a “comprehensive data protection regime for digital communications that safeguards the privacy, autonomy and choice of individuals and facilitates India’s effective participation in the global digital economy.”

Data sovereignty is fast becoming a key objective for many nations. Data privacy and security have always been major priorities, but nowadays governments are increasingly recognizing that the economics of data are crucial for growth and innovation, so it’s beneficial for them to be able to control and maintain that data, Reuters reported. One immediate advantage is that by doing so, it forces cloud and other service providers to spend money locally.

“Data residency and related privacy concerns are key drivers in a number of economies and countries at the moment,” said Holger Mueller, principal analyst and vice president at Constellation Research Inc. “To a certain extent countries try to create some business development for them, requiring local data centers. But the economies have to be large enough, which is certainly the case with India, to have enough weight to get cloud infrastructure providers onboard.”

The draft bill will make U.S. internet firms sit up and take notice, not least because India’s large economy makes it one of the fastest-growing cloud computing markets. According to data from research firm Gartner Inc., public cloud revenue will grow to $2.5 billion this year, hitting an annual growth rate of 37.5 percent.

The rules shouldn’t come as a surprise either. India has long maintained strict regulations around local ownership and investment, Reuters said. Those rules have been eased somewhat since the 1990s, but there is still a massive gap when it comes to data localization that the growth of cloud computing has made much more apparent.

If the draft bill does take effect in India, cloud providers such as Google, Amazon Web Services Inc., Microsoft Corp. and Alibaba Group Holding Ltd., would be forced to make substantial investments in the country in order to build additional local data centers. They would also need to take steps to ensure that data on Indian consumers doesn’t accidentally flow to an offshore data center.

However, these companies, which all have a significant presence in India, would be the ones most likely to benefit from the new rules, said Patrick Moorhead, president and principal analyst at Moor Insights & Strategy.

“I don’t see any long term negative to the big cloud players like AWS and Azure, but it could impact some of the global tier-two providers,” Moorhead said, noting that the latter would have fewer resources to invest in the necessary new infrastructure. “This is very similar to Germany and China, which require citizen data to be held in the country. Big players can afford to invest and build India data centers. It could increase the cost to Indian businesses and consumers, though, which is a negative.”

From Indian consumers’ perspective, the bill certainly shares a lot of similarities to Europe’s GDPR act, which came into force in May. Just as with the GDPR, India’s draft bill also bans the collection, recording and disclosure of personally identifiable data. This includes data on consumer’s finances, health, genetics, political and religious beliefs and sexual orientation. Companies would only be able to collect and process such data with the consent of the individuals concerned.

The draft stipulates that consumer consent must be explicit and gives individuals the right to withdraw that consent at any time. The bill also allows citizens to request access and corrections to their own data and grants them the “right to be forgotten.”

Image: Simon/Pixabay