News
- The IT Ministry’s Bill on data protection is scheduled to be introduced in Parliament during the current session.
- Worldwide, the data flow debate is playing out at the World Trade Organisation (WTO) and G20.
Background
RBI had in April last year asked payments firms to adhere to data localization norms, suggesting these companies had to store data on Indian servers only. They were given six months to comply with the banking regulator’s order. While foreign companies are adhering to RBI’s data localization rules, they have maintained that storing data on Indian servers would require setting up data storage infrastructure in the country, which would increase their costs.
The ‘Data’ under debate
- Data is any collection of information that is stored in a way so computers can easily read it.
- These days, most people refer to data to mean information about their messages, social media posts, online transactions, and browser searches.
- Big data refers to the immense amount of data that can now be collected, stored, and analysed to find patterns.
Why is Data important?
- This large collection of information about people’s online habits has become an important source of profits.
- Your online activity can expose a lot about who you are, and companies find it valuable to use the information to target advertisements to you.
- Governments and political parties have also gained interest in these data sets for elections and policymaking.
Data Localization
- It is a concept that the personal data of a country’s residents should be processed and stored in that country.
- Some directives may restrict flow entirely, while others more leniently allow for conditional data sharing or data mirroring – in which only a copy has to be stored in the country.
- As of now, much of cross-border data transfer is governed by individual bilateral “mutual legal assistance treaties” (MLATs).
India in favor of Data Localization
- India’s recent drafts and statements have strong signals for data localisation, which means that data of Indians (even if collected by an American company) must be stored and processed in India.
- Along with a RBI directive to payment companies to localize financial data, the Ministry of Commerce’s draft e-commerce policy is currently in public consultation.
- The IT Ministry has drafted a data protection law that will be introduced in Parliament and has also framed draft intermediary rules that were leaked earlier.
- These laws, broadly speaking, could require Facebook, Google, and Amazon to store and process in India information such as an Indian’s messages, searches, and purchases.
- In some cases, they restrict what type of data these companies can collect. In others, it requires only a copy of the data to be in the country.
- By requiring a copy of the data to be stored in India (data mirroring), the government hopes to have more direct control over these companies, including the option to levy more taxes on them.
- The government also argues for data localisation on the ground of national security, to prevent foreign surveillance and attacks.
Arguments in Favor of data localization
- A common argument by officials is that localisation will help Indian law enforcement access user data.This especially gained prominence when incidences of lynchings across the country were linked to WhatsApp rumours whose stance on encrypted content frustrated government officials.
- Along with government support, most domestic-born technology companies (which tend to have heavy foreign investments) support data localisation.Most of these firms store their data exclusively in India.
- Some Indian companies have strongly argued that data regulation for privacy and security will have little teeth without localisation, citing models in China and Russia.
- These domestic companies are rivals of many big US giants and condemn the large tax differences between international companies operating in India and those with a permanent establishment in the country.
- Many argue that localisation would lead to a larger presence of MNC’s in India overall, such as local offices, and increase tax liability and open more jobs.
- Secures citizen’s data and provides data privacy and data sovereignty from foreign surveillance. Example – Facebook shared user data with Cambridge Analytica to influence voting.
- Ensures National Security by providing ease of investigation to Indian Law Enforcement agencies as they currently need to rely on Mutual Legal Assistance Treaties (MLATs) to obtain access to data.
- It will give local governments and regulators the jurisdiction to call for the data when required.
- Data centre industries are expected to benefit due to the data localisation which will further create employment in India.
- Greater accountability from firms like Google, Facebook etc. about the end use of data.
- Minimises conflict of jurisdiction due to cross border data sharing and delay in justice delivery in case of data breach.
Argument against data localisation
- Industry bodies, especially those with significant ties to the US, have slung heavy backlash.
- Much of this sentiment hampers to the values of a globalised, competitive internet marketplace, where costs and speeds determine information flows, rather than nationalistic borders.
- Opponents say that this, in turn, may backfire on India’s own young start-ups that are attempting global growth, or on larger firms that process foreign data in India.
- Critics caution against state misuse and surveillance of personal data.
- They also argue that security and government access is not achieved by localisation. Even if the data is stored in the country, the encryption may still remain out of the reach of national agencies due to company’s privacy concerns.
- The US government and companies want cross-border flow of data. It would allow companies to store the data of Indians in the most efficient place in the world.
- The Cyber Security Report 2017 reported that businesses in India were most at risk to cyber security attacks. Thus, a mandatory border control provision by data localisation may not be the solution to avoiding security breach incidents. As foreign governments use sophisticated malware to spy, forcing data storage within the country’s boundaries may not offer it any better protection.Huge costs are involved to fulfill data localisation requirements.
Data protection bill seeks localisation of data
- The Justice Srikrishna Committee in its report accompanying the draft Personal Data Protection Bill notes that eight of the top 10 most accessed websites in India are owned by U.S. entities
- This reality has often hindered Indian law enforcement agencies when investigating routine crimes or crimes with a cyber element
- Police officials are forced to rely on a long and arduous bilateral process with the U.S. government to obtain electronic evidence from U.S. communication providers
- The committee seeks to correct this
- The Bill calls for a copy of user data to be mandatorily localised in India
Is data localisation enough?
- A fundamental error that the Srikrishna Committee seems to have made is in its belief that the location of data should determine who has access to it
- The reason that Indian law enforcement relies on an outdated Mutual Legal Assistance Treaty (MLAT) process to obtain data stored by U.S. companies is because the U.S. law effectively bars these companies from disclosing user data to foreign law enforcement authorities
- Technology companies are allowed to share data such as content of an email or message only upon receiving a federal warrant from U.S. authorities
- This scenario will not change even after technology companies relocate Indian data to India
- Crimes across the globe not covered
- The draft bill mandates local storage of data relating to Indian citizens only
- Localisation can provide data only for crimes that have been committed in India, where both the perpetrator and victim are situated in India
- Prevalent concerns around transnational terrorism, cyber crimes and money laundering will often involve individuals and accounts that are not Indian, and therefore will not be stored in India
- For investigations into such crimes, Indian law enforcement will have to continue relying on cooperative models like the MLAT process
Is location sole measure of claiming data rights?
- Questions around whether access to data is determined by the location of the user, location of data or the place of incorporation of the service provider have become central considerations for governments seeking to solve the cross-border data sharing conundrum
- The Clarifying Lawful Overseas Use of Data (CLOUD) Act, passed by the U.S. Congress earlier this year, seeks to de-monopolise control over data from U.S. authorities
- The law will for the first time allow tech companies to share data directly with certain foreign governments
- This requires an executive agreement between the U.S. and the foreign country certifying that the state has robust privacy protections and respect for due process and the rule of law
- The CLOUD Act creates a potential mechanism through with countries such as India can request data not just for crimes committed within their borders but also for transnational crimes involving their state interests
Data policies in neighbourhood
- China has developed similar laws, which proponents say allow for a flourishing domestic economy of data centres and data processing by blocking foreign players out.
- This is why Indian companies, like Reliance and PayTM, usually support data localisation.
Ahead of G20 meet
- A principle titled “Data Free Flow with Trust” (DFFT) — supported by US, Japan, and Australia — is expected to be a significant talking point at the upcoming G20 summit.
Way Forward
- There is need to have an integrated long-term strategy for policy creation for data localisation.
- Adequate infrastructure and adequate attention need to be given to the interests of India’s Information Technology enabled Services (ITeS) and Business Process Outsourcing (BPO) industries, which are thriving on cross border data flow.