- The government has firmed up its stance on storing data of Indian users in the country despite the discontent of international players.
- Amid rising data theft, breaches, and leaks in India, the Supreme Court had directed the Indian government to formulate a Data Protection Bill to ensure and strengthen people’s rights over personal data and the right to privacy.
- In early April, the RBI issued a circular mandating that payment data be stored only in India by October 15.
- Then after the Justice Sri B. N Krishna Committee was formed in July 2017 to deliberate on a data protection framework for the country.
- Justice BN Srikrishna Committee report on the draft Personal Data Protection Bill 2018 was finally submitted to the minister of law and justice on July 27, 2018.
- The draft bill raked up controversies for its contents.
- A data protection draft law by a committee headed by retired Justice B N Srikrishna recommended that all personal data of Indians have at least one copy in India.
- A subset of that data, labelled critical personal data, must be stored and processed only in India.
- Around that time, a leaked draft of the government’s e-commerce policy recommended localisation for “community data and data generated by users in India from various sources including e-commerce platforms, social media, search engines”.
- It also discussed strategies to “incentivise domestic data storage in India” through facilitating data infrastructure.
- In August, a Reuters article found that a draft report of a cloud computing policy recommended localisation of Indians’ data.
- Earlier this week, companies around the world scrambled to try and meet a RBI-mandated deadline to store Indian users’ financial data in India, reigniting conversation about “data localisation”.
- Across ministries and sectors, the government has firmed up its stance on storing data of Indian users in the country, to the discontent of international players and the delight of domestic ones.
About Data localization
- Data localisation is a concept that the personal data of a country’s residents should be processed and stored in that country.
- Some directives may restrict flow entirely, while others more leniently allow for conditional data sharing or data mirroring – in which only a copy has to be stored in the country.
- As of now, much of cross-border data transfer is governed by individual bilateral “mutual legal assistance treaties” (MLATs).
Arguments in favour of data localization:
- Localisation will help Indian law enforcement agencies to access data.
- To ensure better monitoring, it is important to have unfettered supervisory access to data stored with these system providers.
- This will reduce the crimes related to rumours spread through social media. For example, lynchings across the country that were linked to WhatsApp rumours.
- WhatsApp’s firm stance on encrypted content frustrated government officials.
- In addition, proponents highlight security against foreign attacks and surveillance, which opponents consider a weak argument in cases of data mirroring.
- Most domestic-born technology companies (which tend to have heavy foreign investments) support data localisation, and most of them store their data exclusively in India.
- Many argue that localisation would lead to a larger presence in India overall, such as local offices, and increase tax liability.
- “Data is the new oil” also provides a backbone to much of the localisation drive.
- In the home of the largest open Internet market in the world, companies like PhonePe claim that national wealth creation relies on in-house data storage.
- The e-commerce policy took on a similar stance, championing domestic innovation, and the data protection report also mentioned harnessing India’s digital economy.
Arguments against data localization:
- Industry bodies, especially those with significant ties to the US, have slung heavy backlash.
- Many are concerned about a fractured Internet (or a “splinternet”), where the domino effect of protectionist policy will lead to other countries following suit.
- Much of this sentiment harkens to the values of a globalised, competitive internet marketplace, where costs and speeds, rather than nationalistic borders, determine information flows.
- This in turn, may backfire on India’s own young start-ups that are attempting global growth, or on larger firms that process foreign data in India, such as Tata Consulting Services and Wipro.
Data protection across the world
- The think tank European Centre for International Political Economy has found a surge in data localisation measures worldwide over the last decade.
- Russia has the most restrictive regulation for data flow with strict localisation and high penalties.
- The European Union’s General Data Protection Regulation (GDPR) does not mandate all data to be localised, but rather restricts flow to countries with a strong data protection framework.
- The China government mandates localisation for all “important data” held by “critical information infrastructure” and any cross border personal data transfer must undergo a security assessment.
- The United States leaves regulation up to the state and sector.
- Earlier this year, President Donald Trump signed the Clarifying Lawful Overseas Use of Data Act (CLOUD Act) which established data sharing with certain countries.
- This is a big step forward from the current situation where no entity in India is obliged to inform you if your data has been compromised.
- The Indian data protection law should become a model globally, blending security, privacy, safety and innovation.