Context:
- Like in many other countries, the political narrative in India also seems to be tilting towards data localization. This may be gauged from recent developments in the regulatory and policy framework on data governance, which may compel companies to set up their centres within Indian shores.
- Goals set in the Draft National Digital Communications Policy 2018, along with various government notifications and guidelines such as Reserve Bank of India’s notification on Payment Data Storage 2018, and the Guidelines for Government Departments for Contractual Terms related to Cloud Storage 2017, show signs of data localisation.
About:
Data localization is a measure adopted to give countries increased control over the data belonging to their citizens and residents. Due to the transient and pervasive nature of data on the internet, its security is constantly threatened and indeed been breached at several instances. Data localization is therefore conceived as means of enforcing data protection regime to secure data of the citizens and the critical interests of the nation state. This is achieved through:
- Restricting the transfer of data across national borders.
- Preventing transmission of data through enforcement of rules.
- Retaining copy of data within the country which have been exported.
- Taxing the export of data
- Enforcing applicable laws of the country vis-à-vis data security.
Data localization has become an indispensible aspect of the data protection regime of the modern nation-states in the era of digitalization and ubiquitous presence of internet. China, Russia, Australia, Canada, European Union and several other countries have already adopted data localization provisions. In this respect it becomes imperative for India to devise policy and regulatory framework consistent with current international practices to protect and localise data.
Cloud computing refers to the provision of software, storage and other services to customers from remote data centres. It allows companies to use programs at lower operational costs as programs and data are not stored at the customer’s own data centres, or on their desktops.
|
Background:
Various numbers of policy and regulatory initiatives in the recent past regarding data protection have set the ball rolling in India for data protection and data localization. Although, the initiative are yet to be implemented and are in embryonic stage, these are clear indication of growing consensus on data localization.
- The recent reports by Justice B. N. Srikrishna Committee and the Personal Data Protection Bill, 2018 underlined the following recommendations for data protection
- All personal data to which the law applies must have at least one serving copy stored in India
- In respect of certain categories of personal data that are critical to the nation's interests, a mandate is intended to be made to store and process such personal data only in India such that no transfer abroad is permitted
- Central Government will be vested with the power to exempt transfers on the basis of strategic or practical considerations.
- The e-commerce policy conceived in e-commerce draft bill 2018 mandates data localization in India. It underlines that:
- Mandating data residency makes it easier for the government to have access to data without dealing with privacy laws in other jurisdictions.
- The policy provides incentives like waivers on import duties and other taxes that are needed to set up data storage centres. There’s a two-year sunset clause by which e-commerce entities would have to move personal data to India.
- The bill suggests the creation of a social creditworthiness database using data from bank accounts created under the Prime Minister’s Jan Dhan Yojana, from Aadhaar, and mobile phones (collectively called the “JAM Trinity”).
- The bill envisages re–examination of National Encryption Policy 2015, to provide government access to personal and institutional data held by corporate in times of problematic and security related situations.
- Reserve Bank of India early this year came out with directives for financial entities to restrict the data related to the payment system within India. It is observed that not all system providers store the payments data in India. It has, therefore, been decided that:
- All system providers shall ensure that the entire data relating to payment systems operated by them are stored in a system only in India. This data should include the full end-to-end transaction details/information collected/carried/processed as part of the message/payment instruction. For the foreign leg of the transaction, if any, the data can also be stored in the foreign country, if required.
- System providers shall ensure compliance within a period of six months and report compliance of the same to the Reserve Bank latest by October 15, 2018.
- System providers shall submit the System Audit Report (SAR) on completion of the requirement.
- The audit should be conducted by CERT-IN empanelled auditors certifying completion.
Existing data protection framework in India
Presently, there are neither existing specific regulations nor any vested body for data protection in India. The digital era has triggered concerns about data protection. For mitigating against privacy concerns and national security concerns, the Indian legislature and governments have over the years passed some laws in this regard:
1.
|
General Application: Information Technology (Reasonable Security Practices and Sensitive Personal Data or Information) Rules, 2011
|
2.
|
Govt. Collection of Data: Aadhaar (Targeted Delivery of Financial and other Subsidies, Benefits and Services) Act, 2016; Aadhaar (Data Security) Regulations, 2016
|
3.
|
Banking Sector: Credit Information Companies (Regulation) Act, 2005; Credit Information Companies Regulations, 2006; circulars of Reserve Bank of India including KYC circulars; Master Circulars on credit cards, etc.; Master Circulars on Customer Services; Code of Bank's commitment to Customers
|
4.
|
Telecom Sector: Unified License Agreement issued to telecom service providers by the Department of Telecommunications; Telecom Commercial Communication Preference Regulations, 2010
|
5.
|
Healthcare Sector: Clinical Establishments (Central Government) Rules, 2012; Indian Medical Council (Professional Conduct, Etiquette and Ethics) Regulations, 2002
|
Need for data localisation in India
Following are some of the reasons for reinvigorated data protection law:
- Sector’s demand: India aspires to become a global hub for cloud computing, data hosting and international data centres, all of which are promoting the government to enact data localisation requirements for accelerating the nation’s growth, especially in the sphere of digital technologies.
- Right to privacy: Recent judgement of Supreme Court in K.S Puttaswamy vs. Union of India made it clear that right to privacy is a fundamental right. Protecting and preserving the personal data becomes imperative in this regard. The court recognised ‘informational privacy’ as an important aspect of the right to privacy that can be claimed against the state and non-state actors.
- National security: Minimal or deregulated governance on critical data, due to absence of localisation requirements, could be detrimental to India’s national security as data would be outside the purview of existing data protection legislation. The ineffectiveness of Mutual Legal Assistance Treaties (MLATs) in this realm aggravates such government fears.
- International practices: With the advent of the General Data Protection Regulation, transfer of data from the EU to another non-EU country will need to pass either (i) the adequacy test, or (ii) be in accordance with standard contractual clauses offering enough safeguards in relation with the data. In the present list of countries determined to be 'adequate', India does not figure, however, countries like Argentina, Canada, Israel, Isle of Man, New Zealand and the United States have been determined as 'adequate. Accordingly, it may be strategically prudent for India to bring its own regulatory framework on data protection in line with the EU.
Arguments in favour of data localisation
- Enforcement by local law agencies: A requirement to store personal data locally would boost law enforcement agencies' efforts to access information required for the detection of crime as well as in gathering evidence for prosecution. If personal data is within the India then the possibility of a foreign entity refusing access to such data would be reduced.
- Avoiding resultant vulnerabilities of relying on fiber optic cable network: A large amount of data is transmitted from one country to the other via undersea cables. The location of almost every undersea cable in the world is publicly available, which increases the risk of vulnerability of the internet and cross-border transfer of data.
- Preventing foreign surveillance: Data relating to critical state interests must be drawn up for exclusive processing in India and any such obligations should be limited to it. Thus, for prevention of foreign surveillance critical personal data should be exclusively processed within the territory of India.
- Cost of data protection: All or most legal obligations give rise to economic costs for regulated entities and thus mere increase in costs cannot be reason not to introduce legal change. Rather, the costs incurred due to rules demanding local processing outweigh the benefits of such a requirement.
- Building an AI ecosystem: In the coming years Artificial Intelligence (AI) is expected to become pervasive in all aspects of life that are currently affected by technology and will be a major driver of economic growth. Creation of digital industry and digital infrastructure are essential for developments in AI and other emerging technologies. This necessitates data to be exclusively processed or stored in India.
- Digital Infrastructure: The server localization can have a positive impact on creation of digital infrastructure and digital industry through enhanced connectivity and presence of skilled professionals. It will bring higher foreign direct investment in digital infrastructure.
Arguments against data localization
Safety of the data: Restricting service providers to use the infrastructure within a limited geographical territory increases the threats to data security. This is because the internet enables centralized data storage and processing, taking advantage of economies of scale and a seamless, global internet.
Data versus Data Center – Jurisdiction: Mere location of a data center within the physical jurisdiction of a country does not entitle law enforcement agencies to have better access to data held by such centers. Access to data depends on who has custody, control and possession of the actual data - and that may not necessarily be with the entity that provides the local hosting facility.
Localizing data center does not curtail vulnerabilities: Data destruction doesn't always require a continent-scale event. For instance, a slow water drip in an office building in Calgary, Alberta set off an explosion that caused days of computer outages for hospitals, ambulances, radio stations, taxis, and criminal justice facilities around the province.
Data Localization cannot stop foreign surveillance: Several foreign governments are reported to use sophisticated malware for data surveillance. Thus, physical access to the data storage or processing facilities is not technically necessary in order to conduct surveillance activities.
Threat of domestic surveillance: By extension of the same argument as the advocates of data localization, local government may exercise greater coercive power over domestic businesses storing data to circumvent legal protections.
Cost of Localization: Policymakers have not grappled with the substantial costs of reorganizing and relocating data and operating new data centers, which could discourage if not bar investment, especially from small and medium enterprises (SMEs). The Indian public cloud services market is set to more than double to $7 billion by 2022. According to estimates, Enterprise spending on data centre infrastructure software will rise 10% to $3.6 billion in 2018.
Cost of data breach: According to the reports, the global average cost of data breach is already up to 6.4 percent over the previous year to USD 3.86 million.
Reduced quality of services: Data localization could significantly reduce the quality of the services Indian consumers receive by depriving companies of the scale and efficiencies of global networks and restricting the volume of data from which companies can extract insights to improve their services.
Way forward:
India needs to approach localization bearing in mind the following key principles.
- Formulating policies that create boulders in cross-border data flows should not be promulgated unless backed by adequate and inclusive research on its multi-faceted impact on relevant stakeholders.
- Except data critical for national security, all other kinds of data should remain freely transferable while recognizing that any potential fear of foreign surveillance is overridden by the need for access to information. The data should be defined with precision, and in consultation with stakeholders, to mitigate the risk of over inclusion or ambiguity.
- Adequate infrastructure in terms of energy, real estate, and internet connectivity also needs to be made available for India to become a global hub for data centres. Promoting confidence in users without sacrificing expectations of privacy, security, and safety must also be worked upon.