This article has been written by Aryashree Kunhambu pursuing the Diploma in Cyber Law, FinTech Regulations and Technology Contracts from LawSikho.
Data localisation has become a significant policy issue globally, primarily due to the fear that a nation’s sovereignty will be threatened if it is not able to exercise full control over the data stored outside its borders for national security and law enforcement purposes. This is particularly relevant to nations such as the US and China due to their dominance in many areas of the digital ecosystem such as artificial intelligence, cloud computing and 5G telecommunications. These technologies are heavily reliant on or produce data and such data can be used for many purposes such as national security, business growth, fraud detection or even scientific discovery. By defining how such data is collected, where it is stored, for what it is used and transferred, can have a significant impact on industry growth, geopolitical relationships and civil society. Today, various stakeholders across this landscape want to ensure that the data of their customers is stored safely and securely and it is this common interest that is motivating nations to implement data protection laws. This article will examine whether data localization is an effective policy for India to safeguard its sovereignty and preserve its ability to oversee how citizens’ and inhabitants’ data is used.
Data localisation is a policy measure that restricts the free flow of data across geographic boundaries. It means that data that is created within the borders of a certain nation should stay within them and is almost always applied to the creation and storage of personal data. Several methods to employ such data localisation policies can be used for example in some jurisdictions such as Vietnam, firms are only supposed to keep locally a copy of the data transferred, whereas, in other jurisdictions such as China and Russia, data stored domestically is not allowed to be transferred outside territorial borders to enhance sovereign control over citizens’ data. These laws are subject to international agreements and treaties signed between the host nation and its international partners.
Data localisation policies have significantly departed from the existing design principles of the internet which are premised on the free flow of data. Some have argued that while due to the free flow of data, local consumers have been able to access a plethora of innovative products and services stationed outside their domestic countries, local producers have not benefited. Therefore, any data localisation policy that is employed must be tailor-made to promote security and domestic control on one hand and maintain economic innovation and global relations on the other.
Emerging technologies such as artificial intelligence, advanced analytics, the Internet of Things, cloud computing etc., use and produce vast amounts of data. Exercising control over such data on behalf of citizens and inhabitants becomes necessary for purposes such as national security and innovation. For example, in times of a worldwide pandemic, the intellectual property of a vaccine cure is a high-value asset to a country and must be protected for national security and economic purposes. Thus, data sovereignty or control over data is often claimed through domestic policy creation, geopolitical power and international treaties and agreements.
Today, digital dominance is becoming a key concern for the implementation of data localisation laws as such dominance poses a threat of foreign government interference and power to infringe upon the sovereignty of other nation-states. A driving force behind the proliferation of data protection laws globally is to curb foreign governments from accessing personal data (by request or force) outside of their jurisdiction. Moreover, a neo-colonial dependency on multinational technology companies has also made such entities a primary focus under the privacy regime. Regulators fear that by controlling access to technology by countries that own most of these companies (the USA and China), they will have the power to control other aspects of civil life.
Four key concerns of countries demanding data localisation are compiled as follows –
- Difficulty in accessing personal data saved on foreign servers for national security and law enforcement purposes;
- Loss of economic benefits to local firms due to exploitation of data by foreign firms;
- Enabling foreign surveillance;
- Misuse of personal data via unauthorised sale and violation of privacy rights.
Data localisation has become a significant policy issue in India due to the perceived economic benefits of processing consumer data especially to small business establishments in India along with other difficulties in accessing personal data for law enforcement. While there are several sector-specific data localisation measures (e.g., relevant sections of Indian Companies Act 2013, The Reserve Bank of India’s Directive 2017-18/153 (April 6, 2018) issued under the Payment and Settlement Systems Act 2007, IRDAI (Maintenance of Insurance Records) Regulation, 2015), the national personal data protection bill proposed in the Indian Parliament in 2019 is still being debated and considered.
The Personal Data Protection Bill 2019 is the first country-wide data localisation framework and is based on the report produced by the Committee of Experts under the chairmanship of Justice B.N. Srikrishna. The report provides a detailed explanation for proposing localisation of personal data in India and states four objectives for pursuing it –
- Securing personal data for faster and easier access for law enforcement;
- Increasing economic growth and boosting employment opportunities;
- Preventing surveillance by foreign countries;
- Enforcing data protection laws.
The 2019 data protection bill has classified personal data into different categories and accorded different levels of security with regard to cross border transfers for processing and storage. According to the bill, ‘sensitive’ personal data (which includes financial information) must remain in India but a copy of it may be transferred outside the country subject to certain conditions namely –
- Explicit consent is given by the data principal; the transfer is pursuant to a contract or intra-group scheme approved by the Data Protection Authority;
- The country is deemed to provide adequate protection as per the government;
- Specific authorization of the transfer by the Data Protection Authority.
The bill stipulates that ‘critical’ personal data cannot be taken out of India except under very exceptional circumstances. All other data which is not ‘sensitive’ or ‘critical’ in nature can be moved out of India freely. Therefore, the Indian Government’s proposal for data localisation must be valued on how well they would achieve the democratically articulated objectives.
Is data localisation an effective policy for India?
Data localisation, to be an effective policy regime must achieve the objectives of proposing the same in such a manner that the demerits of such a policy seem to be insignificant. While analyzing the Srikrishna Committee Report and the study conducted by Carnegie India on how data localisation would benefit India, I have reached the following conclusions –
Local storage is not the only way to ensure effective access for law enforcement or regulatory purposes
Data localisation is unlikely to help India achieve the objective to access data easily. For example, it would not enable access to data in cases where the data sought by Indian law enforcement is stored in another country subject to their municipal laws. The best way to obtain this data or establish jurisdiction over it is by entering into international agreements that allow hassle-free information sharing and establishing direct jurisdiction over firms operating in India. Law enforcement and national security objectives may be better served by a combination of two strategies – firstly, light touch localisation requirements (storage of local copy in India, while the data can be processed and stored globally) and secondly, by way of bilateral and multilateral agreements that enable India to access data stored outside its jurisdiction.
Local storage does not necessarily improve the domestic economy
Local storage of data could promote India’s objective to enhance economic growth and employment. It could drive up the demand for goods and services in India and give a slight competitive edge to local producers over their foreign competitors. All these possibilities are subject to various contingent factors, such as –
- local storage would require companies to invest in creating storage facilities which would in turn increase prices and limit ICT goods and services, whether Indian firms would be able to adapt to these changes?
- would such high costs act as a barrier to market entry and in turn suppress entrepreneurial activity in the country?
- whether indigenous firms would meet the demand for data centres or would India have to rely on imports, which would not add to the GDP?
- whether there would be any retaliatory measures by other countries on Indian service-sector exports?
However, data localisation is not required to give greater access to consumer data for innovation as localisation in itself does not advance jurisdictional claims as discussed above.
Local storage does not prevent foreign surveillance entirely
Prevention of surveillance is a legitimate state interest of every sovereign state. The Justice Srikrishna Committee’s report and the draft National E-Commerce Policy Report have anticipated the role of localisation in preventing foreign surveillance. Nations specifically are interested in preventing the surveillance of certain categories of individuals such as personnel dealing with defence and scientific materials, senior government officials etc. India already has data localisation measures in place to safeguard data and communications relating to government activities. Therefore, the data which needs to be protected is the personal data of government officials that are generated when they act as private citizens.
It is important to note here that their personal information on social media websites and other platforms can be accessed by foreign governments legally as per their municipal laws if the data is stored in their jurisdiction. Even when data is stored in India, foreign governments determined to obtain such data will employ all possible measures to obtain such data. Edward Snowden, a former U.S. contractor for the Central Intelligence Agency in 2013 disclosed that the United States National Security Agency was surveilling the communications of foreign governments and citizens. This revelation highlighted the extent to which digital surveillance could be conducted. Thus, it can be concluded that data security features are better guaranteed to protect data rather than data localisation.
Local storage does not ensure enforcement of data protection laws or data security
Enforcement of data protection laws in India are already in place via local incorporation and establishment requirements rather than requirements that mandate businesses to locate physical infrastructure in the country. The enforcement of data protection laws under the proposed bill is contingent on foreign businesses establishing themselves in India and not on data localisation. It requires significant data fiduciaries to register in India. Therefore, the enforcement of data protection laws would be a result of their local registration in India rather than data localisation.
Hardware storage increases costs substantially and no longer provides the security assurance it once did. For example, Mastercard spent $350M out of its $1B investment on data localisation compliance in India. Cloud storage has improved security as the data stored is distributed over several systems rather than being stocked in a single location. Companies that specialise in cloud storage have also made heavy investments in their cyber security capabilities to gain consumer confidence. A small local producer would not have the resources or ability to build the same high-tech cybersecurity framework and would be at an increased threat of security breach. Thus, when it comes to data security, a reasonable measure of security must be accorded to data irrespective of where it is transferred to. Investment in infrastructure and maintenance is critical rather than focussing on the physical location of the data.
Today, there is no denying that emerging technologies are changing the way we live in a manner that was only fiction once. To establish trust in civic establishments, the government needs to balance innovation and growth with safety and security, especially when it comes to policies regarding the data of citizens and inhabitants. Ultimately, the best solution for Indian lawmakers is to enter into bilateral and multilateral agreements to resolve issues regarding access to data especially with countries whose domestic laws restrict access to data stored in their territory. This solution would certainly help law enforcement efforts during investigation and collection of evidence for prosecution. Mirroring of data is another method that can be employed to achieve both law enforcement and economic benefits through establishing legal jurisdiction over such data is essential in this method as well. Ultimately, when it comes to data security and prevention of foreign surveillance more reliance is put on technical infrastructure and storage of data locally has little to no effect. Keeping in mind all the above-mentioned pointers, the Indian government should aim for privacy policies that demonstrate a strong commitment to sovereignty, personal privacy and an equitable digital ecosystem in all allied nations.
Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skills.
LawSikho has created a telegram group for exchanging legal knowledge, referrals, and various opportunities. You can click on this link and join:https://t.me/joinchat/L9vr7LmS9pJjYTQ9