- Data localisation is a concept that the personal data of a country’s residents should be processed and stored in that country. Some directives may restrict flow entirely, while others more leniently allow for conditional data sharing or data mirroring – in which only a copy has to be stored in the country.
- As of now, much of cross-border data transfer is governed by individual bilateral “mutual legal assistance treaties” (MLATs).
Among reasons supporting data localisation put out by the Justice Srikrishna Committee report last year, a few key ones are:
- Law enforcement: Data localisation is critical for law enforcement.
- Access to data by Indian law agencies, in case of a breach or threat, cannot be dependent on the whims and fancies, nor on lengthy legal processes of another nation that hosts data generated in India.
- If data generated in India is stored in the U.S., for example, it is dependent on technology and channels such as the undersea fibre optic cable network.
- Such reliance can be debilitating in the case of a tech or physical breakdown. The report recommends that hence, at least a copy of the data must be stored in India.
- Technology: Technology playfields are not even. A developing country such as India may be playing catch-up with a developed nation, which may be willing to offer liberal laws.
- It may not be wise for India to have the liberal rules as other nations would.
- A key observation of the report is that it is ideal to have the data stored only locally, without even having a copy abroad, in order to protect Indian data from foreign surveillance.
- RBI: Currently, the only mandatory rule on data localisation in India is by the Reserve Bank of India for payment systems. Other than this, there are only reports or drafts of bills that are yet to be signed into law.
- Jusitce Srikrishna Committee report: Among material available in the public domain on data localisation is the white paper that preceded the Jusitce Srikrishna Committee report, inviting public comments.
- Draft Personal Data Protection Bill, 2018: The second piece is the Draft Personal Data Protection Bill, 2018 itself which has specific requirements on cross-border data transfers.
- This is seen as being more restrictive than the recommendations of the Srikrishna Committee.
- Draft e-commerce policy: The draft e-commerce policy also has clauses on cross-border data transfer. For example, it suggests that if a global entity’s India subsidiary transfers Indian users’ data to its parent, the same cannot be transferred to a third party even with the user’s consent.
Shouldn’t the level of protection vary according to the nature of data?
- The Justice Srikrishna Committee report has made a point about not treating all data alike. For example, a user’s reading preferences are not as sacrosanct as his or her Aadhaar details. The data protection bill too differentiates between ‘critical’ and other data.
Why are companies reluctant to comply?
- The disadvantage for a company compelled to localise data is obvious — costs, in the form of servers, the UPS, generators, cooling costs, building and personnel.
- Companies feel that infrastructure in India is not yet ready to support this kind of ecosystem.
- For any large e-commerce player in India, costs may go up between 10% and 50% depending on how stringently the final law is worded.
- The big daddies of e-commerce and social media may not find it too difficult to comply. Small companies providing services in India will find compliance tough.
- In fact, one of the objectives of data localisation is to give a fillip to the start-up sector in India, but stringent norms can make it costly for small firms to comply thereby defeating this objective.
- While this places small entities in a difficult position, the spirit of the Justice Srikrishna Committee report seems to imply that this is not reason enough to avoid compliance.
- While granting that the data protection bill comes after a lot of homework, observers feel it is still not comparable to the EU General Data Protection Regulation (GDPR), which took a few years to draft, adding scholarly and academic depth to the consultations, inputs and the final wording of the law.
- It is well known that Canada and Australia protect their health data very carefully.
- Vietnam mandates one copy of data to be stored locally and for any company that collects user data to have a local office, unlike the EU’s GDPR.
- Citing national interests, China mandates strict data localisation in servers within its borders. International reports refer to data protection laws in Vietnam and China as being similar, in that they were made not so much to protect individual rights as to allow government to control data.
- For the EU, it is clear that customer is ‘king’. Their GDPR is agnostic to technology and sector.
- Interestingly, the U.S. has no single data protection law at the Federal level. It does, however, have individual laws such as the HIPAA (Health Insurance Portability and Accountability Act of 1996) for health care, another for payments, and the like.
- Brazil, Japan, Korea and New Zealand have put in place data protection laws.
- Chile has recently announced the setting up of an independent data protection authority, while Argentina is currently reforming its privacy legislation.
- In September 2018, the EU had said in its response to India’s data protection draft bill that “data localisation requirements appear both unnecessary and potentially harmful as they would create unnecessary costs, difficulties and uncertainties that could hamper business and investments”.
- It added that if implemented, “this kind of provision would also likely hinder data transfers and complicate the facilitation of commercial exchanges, including in the context of EU-India bilateral negotiations on a possible free trade agreement”.
- For companies from one country doing business in another, it becomes cumbersome to have two different compliance levels.
Alternatives to data localisation
- Data security and integrity is best provided through encryption and clear legal frameworks.
- Let’s assume data is stored locally but encrypted, or that data required for a criminal investigation is stored in another territory, where there are strict data localisation laws [which prohibit the flow of data outside the country].
- In both scenarios, criminal investigations might become impossible and the economy may suffer.
- Regardless of the actual location of data, the government should invest in legal frameworks and judicial oversight to provide clarity for law enforcement authorities, companies, and citizens alike.
- India is in an incredibly interesting situation right now.
- On the one hand, there is an incredible growth and uptake in digital services and entrepreneurship.
- On the other hand, India’s policymakers have the opportunity to examine what other economies, the EU for example, have done when it comes to data localisation and privacy.
- Two things are crucial for India to stay ahead of the curve.
- First, policymakers must believe in the transformative power of Indian entrepreneurs to succeed globally and allow those entrepreneurs to sit at the table and be part of decisions regarding privacy and data flows.
- Second, rather than simply copying foreign legislation, the Indian government could cut red tape and legal uncertainty for businesses while providing an adequate protection of data in a global context.
41total visits,1visits today