The unfolding of the Facebook data breach controversy has raised concerns about data privacy and security of individuals, companies and countries. It has also brought to light the discussion around whether digital data generated by a country’s citizens must be stored locally.

In India, most of the internet activity happens on platforms owned and operated by global tech giants, and a big chunk of the user data so generated is stored on servers residing abroad, mostly in the US, which is home to companies such as Google, Microsoft and Facebook. While a few of these companies store some B2B digital data on their India-located servers, data pertaining to the personal information of users resides outside India only.

This restricts government control over citizens’ data and could compromise user

privacy. The lack of a data privacy and security framework exacerbates the

cybersecurity situation further. A recent study by a digital security firm reports that between 2016 and 2017, there was a growth of more than 700 per cent in theft, loss or compromise of data records in India.

Interestingly, the B.N. Srikrishna Committee entrusted with the task of drafting an overarching data protection law for India is mulling the possibility of mandating data localisation. The draft is expected to be out by mid-May 2018. The committee, how-

ever, is unsure of whether data localisation should be limited to certain sensitive sectors or be applied across the board. Several countries including Russia, China, Australia and Vietnam mandate partial or full localisation of their citizens’ data. For instance, Chinese cybersecurity law mandates that citizens’ data, which is collected by critical information infrastructure operators in China, must be stored locally.

Recently, the Reserve Bank of India issued a notification directing all payment system providers to ensure that the entire data relating to the payment system operated by them is stored in India. The move aims to give lawmakers greater control over companies to ensure compliance and avoid unsolicited foreign surveillance.

The big question now is whether the government should implement data localisation for non-financial data too.

India, which aspires to bring its 1 billion plus population online in the coming years, is walking a tight rope as far as data localisation is concerned. Policymakers will need to take a balanced approach that safeguards user privacy but does not create “walled gardens” for the tech industry.