The data demand and consumption patterns across the world have brought data safety and user privacy concerns to the fore. In the recently revealed data breach scandal, Cambridge Analytica obtained the personal data of 87 million Facebook users without their consent to support US President Donald Trump’s 2016 election campaign. Shaken by this incident, several countries are moving towards the concept of data localisation, which means that data generated in a country should be stored on systems/servers located within the country. China, Russia and Vietnam are some of the countries that have already implemented data localisation. The concept is also a part of the European Union’s General Data Protection Regulations. Government mandates for companies to host their data locally stem from a user security perspective.
The debate over data localisation is highly relevant in India as well. One of the largest users of data globally, the country is currently on the cusp of a digital revolution. Almost half a billion Indians use the internet for online banking, accessing social media applications, booking cabs, purchasing goods and services, etc. Since the majority of these online companies/technology platforms are owned by foreign companies, user information is mostly stored in data centres located outside India.
In such a scenario, there are high chances of data being misused and user privacy getting compromised. Artificial intelligence could also be used to tamper with this data. Therefore, data, that is critical to national interest should be processed within the country to prevent any kind of foreign surveillance. In this regard, the Justice B.N. Srikrishna Committee recently released a report on data privacy and protection, emphasising the need for data localisation.
Policy framework for data protection
The Telecom Regulatory Authority of India has mandated data localisation for operators while the Reserve Bank of India has released data localisation guidelines for payment service providers. The draft National e-commerce Policy also proposes the localisation of several categories of data involved in the sector.
Further, the recent data protection bill released by the Justice B.N. Srikrishna Committee prescribes localisation and lays down conditions for cross-border transfer of data. The committee recommended that all the data to which Indian laws apply should be stored locally, even if the intended destination is across borders. For data to be stored locally, data centres need to be established. The privacy bill provides that the central government will notify the categories of personal data for which data centres have to be established in India. It will also establish an authority under the legislation, which will be responsible for the compliances.
However, cross-border flow will be allowed for a few cases, such as software and cloud computing services involving technology related to data flow and other standard exceptions, which are consistent with the views expressed in the committee’s report. The government will decide whether data needs to be processed locally or permitted to be taken out of the country.
Localisation versus cross-border data transfer
One of the primary reasons for the growth of the internet and other digital services is the ease of information exchange across borders. In fact, cross-border data flows have contributed approximately $3 trillion to the global economy. Indian companies too have benefited significantly from this free flow of data with India’s largest IT companies deriving significant revenues from markets abroad. These channels would not exist if India mandates data localisation and prohibits the cross-border flow of data.
Also, India is fast emerging as an innovation hub. Leading Indian and foreign technology companies, industry associations, non-profit entities and civil society representatives have all highlighted the benefits of cross-border data flows and warned of the deleterious effects of any form of localisation or interference in the transfer of data across geographies. They fear that data localisation might impact innovation, economic competitiveness, and availability of new technologies and services to Indian users. In addition, cross-border data flow is essential for international trade and commerce. The basic premise of the digital economy is that it blurs traditional boundaries, or physical borders.
According to the Internet and Mobile Association of India (IAMAI), the government should enable cross-border transfers by developing a framework with recognition and acceptance of the privacy rules of different countries. In this regard, the Cross Border Privacy Rules under the Asia-Pacific Economic Cooperation privacy framework could be considered. The government should ensure that it has access to all data that is generated in India, but stored in foreign countries with due reciprocity.
The proponents of data localisation have some strong arguments as well. They believe data localisation would prevent foreign companies from repatriating money made on the back of Indian consumers’ data. Having exclusive access to national data would help Indian companies grow. Further, the government claims that keeping data in the country will protect the privacy of users. This, however, is debatable as India’s privacy laws are extremely weak and poorly implemented. Messages can still be easily intercepted due to minimal oversight or accountability. Therefore, moving data from the relatively secure US-based servers to the domestic ones that can be accessed by the government is not going to make it any safer. Also, collecting all the data in one place may increase the cybersecurity risks. The best solution is to store the data in different parts of the world in order to diversify the risk.
Impact on the Indian economy
While data localisation makes sense from a national security perspective, it could have serious implications for the Indian economy. According to a report by the Dialogue, titled “Data Localisation in a Globalised World: An Indian Perspective”, India’s GDP may fall by 0.8 per cent in the short and medium term if the country goes ahead with forced data localisation. The report also added that localisation policies may have a cascading effect on the economy, which would cost average Indian workers up to 11 per cent of their monthly salary.
Localising data would increase the cost of doing business for small and medium businesses, and also increase the danger of monopolisation in the digital infrastructure space because only a few firms would have the expertise and capital to invest in creating large data centres. Start-ups will be the most affected as it will cost more to set up a business and they may not have cheaper alternatives for data storage such as cloud if all data is forced to be located in India.
The Indian IT industry, which is driven by exports, deals with the data of its citizens and companies in the US, the European Union (EU) and other parts of the world. Given the comparative trade advantages enjoyed by one section of the Indian industry in this context, mandating a strict data localisation regime could be perceived as a restrictive trade barrier and could meet with resistance.
The way forward
Data localisation has emerged as one of the most contentious issues in recent times. While it looks promising from a national security perspective, its negative impact on businesses and the economy and the lack of procedural clarity in the data privacy bill have raised questions on the need for localisation. Further, restricting data within the national boundaries is against the basic philosophy of the internet, according to some industry observers. Others have suggested a balanced approach towards data localisation. Going ahead, providing incentives to domestic as well as foreign companies for setting up data centres in India could be a step towards successful data localisation.