In today’s technological age, data matters the most. The internet has revolutionized the ways in which exchange takes place. With our mere internet presence, we as netizens are creating petabytes of data on a daily basis. The data trail that we leave behind on the World Wide Web is permanently etched on the servers globally. On the downside, this data can be used against us in ways that are detrimental to society at large; scandals involving large scale misuse of data are being uncovered more frequently. At this juncture, governments have begun to look into user privacy and protection on the internet. The Indian government in their attempt at encouraging the same, drafted the Personal Data Protection Bill in 2018. In their step towards data protection, data localization has emerged as a policy and has become an issue of contention. The question that arises is, is it to the country’s benefit to implement data localization?
What does data localization do?
Data localization is a very simple idea. It basically means that the internet data generated within India needs to be physically stored in the country itself. In a large country like India where the penetration of the Internet is growing rapidly, the amount of data generated is expected to cross 2.3 million petabytes by 2020. This data that is generated in India is stored in various servers that are located across the globe. It is possible that user data entered in an e-commerce site or social networking site from a small town in India, may be stored on a server in the United States. Depending on the location of the server for that particular site, the data can be stored anywhere.
The nature of the data can include text messages, photographs, tweets, emails or even encrypted transaction details. Many e-commerce sites employ sophisticated analytical tools to gain business insights out of this information. Even social media sites use analytics for a variety of purposes such as advertising. In this process, there is a high risk of misuse of personal information. With regard to financial transactions, critical personal information, including financial information, is vulnerable to exposure to frauds. All this data that is left behind on the internet servers can pose a threat to both individual and national security.
The number of cases of cybercrime and frauds has been increasing every year. A report of the National Crime Record Bureau in 2017 stated that more than 12,000 cases of cybercrime have been reported in 2016-17 alone. The number of cases registered each year is growing at a fast pace. Investigating these cases requires access to internet data that is stored on the servers. However, when they are located overseas, this data cannot be accessed by Indian agencies unless they have mutual data extraction treaties. This makes it difficult to fight cybercrime and also exposes national security to risks.
Tracing the idea of data localization in India
The policy of data localization emerged in the Indian context in 2017. This policy can be attributed to the Supreme Court judgement which emphasized on the right to privacy of the citizens. This provided a framework for policy by emphasizing the protection of personal data as being subsumed under the civil liberties of citizens. This judgement paved the way for the Personal Data Protection Bill of 2018 which was based on the national data protection framework recommended by the Srikrishna Committee.
The Personal Data Protection Bill is unique in the way in which it defines user generated data. According to the bill, the users who generate data on the internet are owners of the data. Therefore, the right to use this data is with them and cannot be used by other parties without their consent. This Bill presses for fair practices while processing the data of the users. It also restricts the storage of critical information outside the country. However, there are also provisions allowing for data sharing with foreign entities through regulated means. Some of the other provisions of this Bill are the physical storage of data within India in their original form or even as copies.
This particular provision with regard to the physical storage of data has led to the formulation of the policy of Data localization. The Bill set off an array of changes with regard to data storage in India. The Reserve Bank of India has mandated for the local storage of payments data. Furthermore, the health regulatory bodies have come up with the Digital Information Security in Healthcare Act (DISHA) while the Department of Industrial Policy and Promotion has drafted the National e-Commerce policy to regulate the flow of key information abroad. With India moving ahead with digitalization, these changes have proved to be necessary.
However, the specifics of the RBI mandate have been the crux of the global controversy. The Personal Data Protection Bill states that all personal information stored abroad by the service provider can be kept as original abroad, yet, a mirror copy needs to be maintained in India. The RBI has gone another step further and stated that payments that are processed abroad involving domestic parties need to be brought back to India within 24 hours or one business day and erased from the foreign servers. This forms the case of contention because there are limitations on the jurisdiction of the RBI. They can set mandates for India but cannot ensure that the data is deleted from the foreign servers that are under the jurisdiction of other regulatory authorities.
The costs and benefits
In a context where countries like USA and Japan are lobbying for ‘Data Free Flow with Trust’, the RBI mandates stand in clear contradiction. These policies are seen as protectionist and against global interests. Many companies like Visa and MasterCard face a huge challenge as localization requires the creation of data centers in India for the storage of Indian data. However, the RBI has considered these factors and has not enforced a deadline for compliance. Social media sites like Facebook, Twitter and WhatsApp also face this constraint. This is also bound to increase operational costs and affect the ease of doing business for various companies. The United States has been critical of this policy. which can even have a detrimental effect on trade and investment in the Indian economy.
This policy also comes with some solid benefits that are not substitutable.
From a national security and law enforcement perspective, data localization is crucial as the incidence of crime has been increasing. The use of digital evidence for solving both cyber and general crime has also increased. Data localization cannot ensure that scams and frauds are completely eradicated, but it can guarantee that it is possible to investigate these cases with greater efficiency and contain the damage. In the long term, it also has the benefit of building digital infrastructure in India. This is critical for digitalization. National security is also an important factor dictating localization.
India does not have an umbrella authority when it comes to data protection. With India making strides towards digitalization, it is the time that we relook into data protection at a policy level. The draft bill of the Srikrishna Committee is an encouraging step in India’s commitment towards the right to privacy of its citizens. India has also been able to stand its ground on the international level despite opposition. Irrespective of the costs that data localization can have in the short-term; this move can have strong positive implications for growth in the decades to come.
Picture Courtesy- Starbic.com