Contact Form

Sticky Contact Form

Guardians Of Data: Navigating New Age Data Centres In India With A Focus On Privacy And Protection

By - King Stubb & Kasiva on November 24, 2023

What is a Data Center?

A data centre is a facility, whether physical or virtual, that supports data storage, upkeep, and the using applications, whether shared or otherwise, which may be based on a network of computing and storage resources. The key components of the data centre design include routers, switches, firewalls, storage systems, servers, and application-delivery controllers.

What is a New Age Data Center?

With the advent of new technologies, the new age data centres have transformed data centres from physical to virtual data centres. These new data centres are more robust eco-systems that are built by integrating technologies like artificial intelligence, machine learning, cloud computing, robotic process automation and convergence of four technologies which are Social, Mobile, Analytics and Cloud (SMAC).

Advantages of New Age Data Centers

New Age data centres provide more advantages to businesses when compared to traditional data centres. The major ones include the following:

  1. Ease of doing business: Modern data centres can substantially support business operations. The use of machine learning and automation eases the daily operations of businesses by reducing the manual workload and new advancements like cloud computing and virtualization reduce hardware requirements, leading to lesser energy usage and cost savings. They provide high scalability, making it easy to respond to changing business needs. Whether a company needs to scale up its operations or scale down, these centres adapt quickly. Moreover, they offer better reliability, with built-in redundancy and disaster recovery mechanisms, reducing the risk of operation downtime.
  2. Easy operability: The use of software-controlled features makes it easy for organizations to transform their business while digitizing their data. The use of automation in new-age data centres makes operations more efficient. Automation reduces human intervention in routine tasks, mitigating the risk of error and enabling teams to focus on core business growth activities. Additionally, its integrated systems and software simplify IT infrastructure management and maintenance.
  3. Legal compliances: They help in providing better cyber security services which helps in decreasing the liabilities and penalties on the organizations by complying with law. Complying with various data protection regulations is critical for businesses today. Modern data centres are equipped with advanced security features to protect sensitive data, and they often have experts on board to help clients navigate complex data compliance landscapes. Some also offer services like automated compliance reporting, making it easier to ensure regulatory adherence
  4. Redundancy: The use of technology and software-controlled features ensure continuous functionality even in the event of a component failure. It minimizes the risk of data loss and downtime.
  5. Disaster Recovery: Modern data centres offer robust disaster recovery and business continuity solutions. They can quickly restore data and services after a mishap, minimizing business interruption.

Impact on Industry

There is a rapid growth of advancement of e-commerce, production of mobile phones and growing acceptance of cloud computing. This steady growth of the digital economy has fuelled the demand for more data centres. However, the expansion of data centres is accompanied by new security risks and challenges. Data centres are the chief targets of cyberattacks which could be disastrous for the company and its business.

It is very crucial for companies to protect the business data of the company and personal data of customers, employees, business partners and associates to comply with laws and regulations, maintain reputation, avoid financial losses, ensure business continuity and gain a competitive edge in the market.

Organisations must take action to safeguard their data which is being stored in data centres established by them or with third-party data centre service providers. This entails putting in place strong security measures in accordance with all the applicable cybersecurity and data protection regulations.

Data Protection Laws and Regulations in India.

India has introduced its new Digital Personal Data Protection Act, 2023 (“The DPDP Act”) which governs the processing of personal data of individuals. The table given below explains the legal compliances that are applicable to entities providing data storage facilities under the existing regulatory framework and the new law in India which is going to be enforced soon.

S.No.CompliancesExisting LawNew Law
 1Consent and NoticeThe Information and Technology (Guidelines for Intermediaries and Digital Media Ethics Code), 2021 Rules[1] mandate the intermediaries to disclose the terms and conditions, privacy policies and procedures to their users.   It also states that the information provided voluntarily by the User to the significant social media intermediary for the purpose of verification cannot be used for any other purpose without the expressed consent of the User.[2]Data Fiduciaries[3] have the obligation to take specific, informed, unconditional and unambiguous consent from the Data Principal[4] with a clear affirmative action.   The processing[5] of data should be limited to the purpose mentioned while taking the consent.   The consent should be accompanied or preceded by a notice which contains the following:  The personal data that is collected and the purpose for which it is proposed to be processed for.The rights of the Data Principal and the manner in which they can exercise their right. The manner in which the Data Principal can file a complaint with the Data Protection Board.  
 2Reasonable Security StandardsThe Information and Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules of 2011 (“SPDI Rules”), mandate the use of reasonable security practices by the body corporates who collect and process personal data of individuals.   The international standard IS/ISO/IEC 27001 on “Information Technology - Security Techniques - Information Security Management System Requirements" was advised as a best practice of reasonable security standards under the guidelines.The Data Fiduciary is responsible for maintaining reasonable security safeguards to secure the Data Principal's personal data, even if he has appointed a Data Processor to process such data.    Before appointing a third-party vendor to process data on their behalf, the Data Fiduciary may conduct an Audit to find out the acceptable security safeguards used by them. They can also continue to perform frequent audits to ensure that the system is safe and secure.
 3Notification of Data BreachThe Indian Computer Emergency Response Team (“CERT-In”) guidelines issued under Section 70B (6) of the Information and Technology Act mandates the companies to report cyber incidents that impact national security, economy, public health or safety.   They have to report the cyber incident to the nodal agency within 6 hours of knowledge of occurrence.   If they fail to comply with these directions, it will lead to imprisonment of upto 1 (one) year or with a fine upto INR 1,00,000 (Rupees One Lakh) or both.  The Data Fiduciary is responsible for notifying the breach to the effected Data Principal and the Data Protection Board immediately.   The manner in which the notification should be given is yet to be clarified by the central government.   Breach in giving this notice may lead to a penalty which may extend to INR 2,50,00,00,000 (Rupees Two Hundred and Fifty Crores).
 4Data LocalizationThe RBI direction vide circular DPSS.CO.OD.No.2785/06.08.005/2017-18 dated April 06, 2018, mandated storage of data collected during payments, which is sensitive data and the financial data of the user, to be stored in the serves located within the territory of India.   Section 3(9) of the IRDAI (Maintenance of Insurance Records) Regulation, 2015 mandates that all insurance data relating to insurance policies and claims made in India shall be stored and maintained within the territory of India.  The DPDP Act, allows processing of data outside the territory of India. However, the Central Government of India has the power to restrict the transfer of personal data to any country or territory outside India as notified by them.   Note: This does not interfere with the sectoral regulations which mandates Data Localization.
 5Grievance RedressalThe Information and Technology (Guidelines for Intermediaries and Digital Media Ethics Code), 2021 Rules mandate the intermediaries to appoint a grievance officer capable of handling user grievances about violation of the rules. The Data Fiduciary is obligated to setup a grievance redressal mechanism for the Data Principal. They should have a person who acts as a point of contact between the Data Fiduciary. It can be the consent manager or Data Protection Officer in case of Significant Data Fiduciary, or any person appointed by the Data Fiduciary.   They have to publish the contact details of the grievance redressal officer in the manner prescribed by the central government.   The Data Principal should first exhaust the right to grievance redressal before approaching the board with their complaints.

Note: New Law which is DPDP Act is an extension of the existing laws and regulations. Once the rules from the central government are released, the DPDP Act will be fully enforced. As a result, Section 43A of the Information and Technology, and the SPDI Rules of 2011 will be omitted and will be replaced by the DPDP Act once it is enforced.

The rules regarding obtaining consent, serving notice, grievance redressal mechanism, implementation of reasonable security safeguards, manner are going to be published by the Central Government soon. Along with the Rules they will also establish a Data Protection Board and release the list of countries/territories outside India where personal data cannot be shared.

FAQs

What are Data Centres?

A data centre is a facility, whether physical or virtual, that supports in data storage, upkeep, and the using applications, whether shared or otherwise, which may be based on a network of computing and storage resources.

What are New Age Data Centres?

New age data centres are more robust eco-systems that are built by integrating technologies like artificial intelligence, machine learning, cloud computing, robotic process automation and convergence of four technologies which are Social, Mobile, Analytics and Cloud (SMAC). 

How does the DPDP Act address cross-border data transfers?

The DPDP Act permits extraterritorial data processing linked to services in India, doesn't impose current restrictions on transfers but allows the government to specify terms later.

How does the DPDP Act address challenges for businesses in terms of compliance and penalties?

The DPDP Act increases compliance costs for businesses, especially SMEs, and proposes penalties of up to ₹250 crore for non-compliance, emphasizing the importance of adhering to data protection standards.


[1] https://mib.gov.in/sites/default/files/IT%28Intermediary%20Guidelines%20and%20Digital%20Media%20Ethics%20Code%29%20Rules%2C%202021%20English.pdf

[2] Rule 4 (7) of the Information and Technology (Guidelines for Intermediaries and Digital Media Ethics Code), 2021

[3] Section 2(I) of the DPDP Act defines the Data Fiduciary as any person who alone or in conjunction determines the purpose of the processing of personal data.

[4] Section 2(j) of the DPDP Act defines Data Principal as an individual to whom the personal data relates and includes the parents or lawful guardians in case of a child or a person with disability.

[5] Section 2(x) of the DPDP Act defines processing as a wholly or partly automated operation(s) performed on digital personal data and includes operations such as collection, recording, organisation, structuring, storage, adaptation, retrieval, use, alignment or combination, indexing, sharing, disclosure by transmission, dissemination or otherwise making available, restriction, erasure, or destruction.

King Stubb & Kasiva,
Advocates & Attorneys

Click Here to Get in Touch

New Delhi | Mumbai | Bangalore | Chennai | Hyderabad | Mangalore | Pune | Kochi
Tel: +91 11 41032969 | Email: info@ksandk.com


Liked this Article ?

Join our list to receive more such updates

Subscription Form

By entering the email address you agree to our Privacy Policy.

King Stubb & Kasiva

Offices In - New Delhi | Bangalore | Mumbai
Chennai | Hyderabad | Kochi | Pune | Mangalore

Subscription Form