Data Localisation: Which Way Are We Heading? | by Anubhav and Pragati

(A 13-year-old child reading a newspaper)

Son: Hey dad! See what Mark Zuckerberg is saying. What is he regretting for?

“Mark Zuckerberg: We have a responsibility to protect your data and if we can’t, then we don't deserve to serve you”.

Dad: Dear son, everyday we enter all our personal information on various social platform but have you ever thought where all this data goes?

Son: It’s so simple dad! They create a number of hard drives and store it in some locker rooms, like we see in the movies.

Dad (laughing): No son, I also believed the same when I was of your age but it is not like that. This whole data that you enter is channelized through various online platforms and is served worldwide, but remember son it has its own pros and cons!

Son: Oh! But dad how is all that connected to Mark Zuckerberg’s statement?

Dad: See son, as I told you, there is a worldwide connectivity of data because of which it is stored in the form such that it is not easily accessible to anyone. However, do you know that recently in the US elections it was reported that a British-based company, Cambridge Analytica took out some personal data from Facebook and used it to influence voters’ opinion.

Son (Astonished): Oh really! Is there any solution to it, dad?

Dad: Of course, son! Always remember that there is a solution to every problem. In this case it is the policy of data localisation. Even our government is looking to enforce such policy.

Son: Data localisation, what’s this dad?

Dad: Come son, let’s discuss about data localisation in detail and what will be itsimpact if it is adopted by our nation. Then, I want you to give me your opinion on this move by the government.

Son: Okay dad, I am very excited to know about this. Let’s begin!

Dad: So, data localisation!

Why or Why not? Restricting Investment or Benefitting Nation? What and What not?

Data localisation is the act of storing data on any device that is physically present within the borders of a specific country where the data is generated. Data localisation requires that initial collection, processing, and storage should first take place within national boundaries.

The push for data localisation greatly increased after revelations by Edward Snowden regarding United States counter terrorism surveillance programs in 2013. Since then, many governments, especially in Europe, have come up with data localisation laws restricting the flow of citizens’ data outside the nation in the purview of nation’s security.

The topic further got momentum when Cambridge Analytica, an IT service management company collected personally identifiable information of more than 87 million Facebook users in 2014. As per the allegations, the data was used to influence voters’ opinion on behalf of politicians who used them. In December 2015, The Guardian reported that Cambridge Analytica also assisted President Trump’s campaigns. After this incident, Mark Zuckerberg, Facebook director himself apologised for the data breach. He even made the revelation that 562 thousand people in India were ‘potentially affected’ by this global data leak crisis.

Such incidents raise various serious questions:

Is the privacy of our data ensured?

Are the payment channels of our nation secure?

Are the security agencies able to maintain confidentiality?

India’s push for data localisation came at the time when the concerns for data security at global level reached at its peak. On 5 April 2018, RBI felt that since the payment ecosystem in India has expanded considerably the safety and security of data needs to be ensured. The RBI, hence, gave directions to global payment system operators established in India to store data within India within a period of 6 months. However, after a meeting in June, the Finance Ministry provided some relaxations saying that data could be stored offshore if one copy of it is maintained in India. Companies like Google, Microsoft, Paytm, etc. supported the decision of RBI.

In August 2017, the government set up a committee under the chairmanship of retired Supreme Court judge Srikrishna over the topic of data localisation. The keenly awaited report on data protection law was submitted by justice BN Srikrishna committee on 27 July, 2018.

This bill will form the framework for India’s data protection laws, prescribing how organizations should collect, process, and store citizens’ data. The report has proposed penalties for violations, criminal proceedings, setting up of a data authority, provision of withdrawal of consent, and concept of consent fatigue. Some of the main highlights of the report were as follows:

1. The law will have jurisdiction over the processing of personal data if such data has been used, shared, disclosed, collected, or otherwise processed in India.

2. Cross border data transfers of personal data, other than critical personal data, will be through model contract clauses containing key obligations with the transferor being liable for the harms caused to the principal due to any violations committed by the transferee.

3. The bill strengthens UIDAI powers when it comes to Aadhaar-related legal action by maintaining that only the UIDAI can approach the courts in case of any Aadhaar disputes.

The draft bill is now submitted to the government which will take the comments of stakeholders and approval of the cabinet before finalizing the legislation. The bill has revoked mixed reactions. Many believe that the report already has various loopholes, saying it would give excessive powers to the government or it would lead to reduced powers of FBI whereas many others believe that this would increase the security concerns of nation.

How data localisation favours India?

Data localisation would lead to data sovereignty and data monopolisation. This would provide the users with stronger data protection framework that respects the privacy concerns of citizens, and a level playing field for the Indian start-up ecosystem with respect to global tech giants. Further, the financial data of consumers is the "critical personal data" which should definitely be stored and processed only in India. It is definitely a cherishing moment for the nation that big global companies like Xiaomi, VMW, Paytm and Alibaba have come forth in favour of data localisation.

One of the key drivers of data localisation is the perception that lawful access to data would be facilitated, especially given the MLAT process is broken. This is based on an incorrect understanding of applicable legal and regulatory framework. Further, access to data for legitimate purposes can be enabled without a requirement of physical location of data. Any universally acceptable law will have to provide for LEAs to access data of suspects on probable cause, and for crimes under the law, and that too under judicial oversight. Several instances are reported in which companies are asked to share data with LEAs without following the due process, in violation of privacy of the users. It is important that the data protection law upholds basic human rights as spelled out in the Justice.

It is the way to survive our own populaces or to boost local economic activities.

The dark side of data localisation

While in 20th century, steps were taken to decentralise and globalise internet, the protectionism policy in 21st century is indeed contradictory. These regulations are alarming for both economic and political reasons. Such restrictions would increase the set-up cost for companies, especially MNCs as the companies would require to set up data storage centres in the nation itself. This would further discourage new start-ups to mark their entry in India. Data localisation in India would lead to direct face off withthe U.S. tech giants. U.S. technology giants, hence, even plan to intensify lobbying efforts against stringent Indian data localisation requirements. Hence, this issue could further undermine already strained relations between U.S. and India. Further, storing data through cloud computing is more cost efficient, hence increasing cost by setting up data storage centres may even raise a question mark against the Digital India mission. In other words, it could be said that this scheme would challenge accessibility of SMEs to global services. Hence, data localisation restrictions may even negatively impact the GDP of countries mandating it. It even reflects an authoritarian regime and a tool to enable local surveillance.

It has been seen that companies with data as the main commodity has some of the highest carbon footprints, owing to their data centres. In such a situation, setting up of data storage centres in India doesn't seem to be a cost-effective option, neither economically nor environmentally. Especially, when we live in a nation where the PSUs are accused of corruption and red-tapism, then how can we ensure that the data saved with government is in safe hands.

In this era of globalisation and fast advancing world, data localisation instead of fulfilling its basic purpose may just hinder the flexibility internet is offering today.

Data localisation might just restrict the investments from giant companies and foreign support from corporations. This in turn restricts the notion of liberalization and destroys the true essence of globalization.

To maintain the large reserves of data in storage requires humongous resources. Along with this, we must always keep in mind that data leaks may happen, which means that this also poses potential security threats to the citizens and violates their privacy rights. Therefore, it is an outstanding obligation on the party that deals with data localisation to ensure proper supervising and sufficient availability manpower to disallow data security threats.

Around the world

Data localisation laws do not mandate total localisation of data. Europe’s new data protection does not introduce localisation requirements, but instead put limits on cross border data flow with countries that do not have data protection laws . In May 2018, EU adopted general data protection regulation, which consisted of one set of data rules for all companies operating in the EU, wherever they are based. A stronger rule on data protection means people have more control on personal data and business benefits from a level playing field.

Furthermore, more than 80% of India’s data centre supplies were concentrated in 5 cities. It is recommended conducting a study to identify 20 locations conducive for such infrastructures, while also looking at incentives and tax relaxation to foster industries' growth.

Son: See dad, after knowing all this about data localisation, what I feel is that, data can be in various forms. It may be regarding news and information, personal,community and corporate data, data concerning the business activity, military, banking,health and education, agriculture and so on. Some of this data is very sensitive and is used for governance and policy-effective regulation, economic development and so on. The rational debate that is going on data localisation needs to integrate a wide range of social, political and economic perspective. Legal and democratic requirement for local data regimes needs to be appropriately balanced with the values of global digital integration. It is expected that the cross bordered data flow will touch 1.1 trillion by 2025. This has raised data protection and privacy concerns. Further, the advent of cloud computing has raised an important question of accountability of service providers who store Indian user's data outside the boundaries of India which contradicts with the thought of rational security. Therefore, adequate attention needs to be given to the interest of ITs and BPOs which are thriving on cross bordered data flows.

At the end, I would like to say that enhanced cooperation between all stakeholders in the global arena through prolific debates may pave the way ahead for deciding the fate of cross border data flows without compromising on data privacy, security,and the sovereignty of a nation!

Dad: Amazing son! Amazing! You have made me proud and I know you are goingto make it big in future. Just focus and keep working hard. Your commitment and values that you inculcate will actually define your path in future.Let’s wait for the well-considered and reasoned report of Justice Srikrishna Committee,which will take into consideration the imperatives of economic growth, innovation, job creation, national security, and informational privacy in the light of the SC judgement, and global technological developments, and for retaining our competitiveness.