Data Localisation

(Practices Questions:

  1. There has been a growing trend towards data localisation in policy making and administration in India. Analyse.
  2. The Justice Srikrishna Committee has favored the localisation of data within Indian boundaries with qualifications. What issues must be kept in consideration while formulating data localisation laws?  
  3. While formulating data localisation laws, a ‘one-size-fits-all’ approach may not be appropriate. Comment.
  4. There is a growing trend of data localisation in India. Do you agree? What are the reasons?
  5. The use of data driven growth has its benefits and fair share of demerits. What are the challenges that India would face if strict data localisation laws are enacted?)

 

Cyberspace is a challenging domain for lawmakers, law-enforcement agencies (LEAs), and other wings of the government concerned with privacy and national security. Moreover, in formulating a law for the cyberspace there is an additional challenge of balancing ‘fundamental right to privacy’ and the ‘freedom of expression’. With the increasing emphasis on privacy, the argument for ‘storing the data of individuals within the national boundaries’ or ‘data localisation’ is gaining ground.

Trends towards data localisation: The political narrative in India also seems to be tilting towards data localisation. This may be gauged from recent developments in the regulatory and policy frameworks on data governance, which may compel companies to set up their data centres within Indian shores. The following regulatory and policy developments show trends of data localisation:

  • Goals set in the Draft National Digital Communications Policy 2018.
  • Reserve Bank of India’s notification on Payment Data Storage 2018.
  • Guidelines for Government Departments for Contractual Terms related to Cloud Storage 2017.

Why data localisation is deemed necessary 

The extensive data collection by technology companies, due to their unfettered access and control of user data, has allowed them to freely process and monetise Indian users’ data outside the country. This has raised data protection and privacy concerns. Furthermore, the advent of cloud computing raises important questions on accountability of service providers who store Indian users’ data outside of the country’s boundaries, leading to a conflict of jurisdiction in case of any dispute.

The rationale behind such mandates has been attributed to various factors, such as: securing citizen’s data, data privacy, data sovereignty, national security, and economic development of the country.

The Issue of Jurisdiction: Eight of the top 10 most accessed websites in India are owned by U.S. entities. The location of mega multinational corporations, which are home to data of, and provide services to, citizens around the globe in different jurisdictions does pose a challenge. Their servers are located in the United States, Europe, Singapore and other jurisdictions with conditions suitable for data centres. In the event of a crime, Legal Enforcement Agencies (LEAs) may need access to the data stored on these servers. In order for LEAs from such countries to obtain content data (for investigations or evidence), due process has to be followed via the route of Mutual Legal Assistance Treaty (MLAT) between countries. But MLATs are a frustrating process, since they were not for the Internet age but for the age of physical evidence. It takes, on an average, ten months for LEAs to access the required data via MLATs by which time the possible evidence is outdated, and criminals are able to cover their tracks.

Related recent incidents of importance that would have a bearing on the ‘data localisation’ argument (these incidents can be used in the answers/essay as per relevance):

  • Facebook and Cambridge Analytica breaching the privacy of nearly a hundred million global citizens, and interfering in the US and Indian elections.
  • Numerous reported incidents of data breach. E.g. Google plus data breach.
  • The data protection law developed by the Justice Srikrishna Committee.
  • The ‘right to privacy’ judgement by the Supreme Court of India.

Reconciliation with economic and scientific progress:

The benefits of data-driven growth: The Supreme Court supports the march of technology, innovations, growth of knowledge, and big data analytics for the growth of economies, and for better services to citizens. It recognizes the role of data driven innovation (DDI) for the growth of economies, and for job creation.

Reports suggest that cross-border data flows contributed $2.8 trillion to the global economy in 2014, which is expected to touch $11 trillion by 2025. Data has often been referred to as the new oil, an economic resource, that is fuelling the fourth industrial revolution.

Recent news of a young man working as a coolie on a railway platform in Ernakulam, who prepared for his civil services exam using the free WiFi, provided by railways, to access reading material, and became successful, is a great example of empowerment.

The benefits of cross-border data flows, which have powered the Indian IT/BPM industry, and is poised to grow from its present $175 billion to a trillion dollars over the next five years. Access to education, health, banking, entertainment, commerce and social communities have been possible only because of economies of scale and speed, which, in turn, have been achieved through the globally located cloud infrastructure.

The sectors which would be affected:

Cloud Computing sector: Cloud computing based services are affordable for consumers and small businesses/start-ups because they rely on massive economies of scale with globally distributed data centres. Requiring data centres to be localised undermines the cost-effectiveness of cloud-based computing services.

Startups: India has the third largest startups base in the world, with new global unicorns emerging. These startups are able to significantly reduce their IT costs and access global markets because of cloud based solutions. Clouds are critical to their innovative activities without investing in data centres.

Way ahead

The Srikrishna Data Protection Committee, in its white paper, records the following provisional views on data localisation: “……. India will have to carefully balance the enforcement benefits of data localisation with the costs involved pursuant to such requirement. Different types of data will have to be treated differently, given their significance for enforcement and industry. It appears that a one-size-fits-all model may not be the most appropriate. Thus while data localisation may be considered in certain sensitive sectors, it may not be advisable to prescribe it across the board.”

Issues that must be kept in consideration:

Adequate attention needs to be given to the interests of India’s Information Technology Enabled Services (ITeS) and Business Process Outsourcing (BPO) industries, which are thriving on cross-border data flow.

The possible rise in prices or unavailability of foreign cloud computing services in case of a data localisation mandate, and its impact on medium small and micro enterprises (MSMEs) as well as start-ups relying on these services must also be counted for.

Domestic and foreign businesses engaged in developing data driven new age technologies such as Internet of Things and Artificial Intelligence may also find it hard to comply with data localisation requirements.

Adequate infrastructure in terms of energy, real estate, and internet connectivity also needs to be made available for India to become a global hub for data centres. Promoting confidence in users without sacrificing expectations of privacy, security, and safety must also be worked upon.

Enhanced cooperation between all stakeholders in the global arena, through prolific debates, may pave the way ahead for deciding the fate of cross-border data flows, without compromising on data privacy, security and sovereignty.

Sources: Economic Times and The Hindu Business Line.