Data Localization In India
Around the end of July, a committee headed by retired Justice B N Srikrishna announced a Data Protection Draft Law that recommended that Indians should have at least one copy of their personal data in India (also called ‘data mirroring’). It also said that a part of that data, labelled as critical personal data, must be stored and processed only in India. On 6th April, 2018, a circular by The Reserve Bank of India (India’s Central Bank) mandated payment systems to ensure that the entire data collected from India to be stored in India.
This has sent global digital payment firms into frenzy. Such regulations might be impact prominent payments firms such as Visa, American Express, Facebook, PayPal, MasterCard and Google. Amazon, American Express and Microsoft, have opposed India’s policy which is inclined towards data protectionism. Google has agreed to comply with the Reserve Bank of India’s data localization norms, while Alibaba has supported India’s stance.
So what is Data Localisation?
Data localization is the practice of storing the personal data of a country’s residents on any device that is physically present within the borders of the country where the data is generated. This data should be stored and processed in the same country.
Why Data Localisation?
India has her own reasons to implement these ‘data protectionist’ policies. Ever since 2017, the incidence of mob violence, mob lynching and related incidents are rising. Officials were quick to notice that WhatsApp played a key role in amplifying these crimes. Rumours spread like wildfire on such platforms, but when the police tried to catch the culprits, WhatsApp held a firm stance on its encryption policy. This frustrated government officials. The Central Bank gave the rationale that data localisation will allow better monitoring, a rationale also applicable for the maintenance of law and order.
Such a judgement in the wake of Facebook Cambridge Analytica data leak is not surprising. Specially after European Union’s legislation of a new privacy law, GDPR or General Data Protection Regulation which is said to be the most important data privacy regulation in the last 20 years. It is believed that this decision is following the European Union’s privacy law.
The Government of India has firmly backed its stance on data localisation, a trend that is clearly gaining traction. China, Russia, Australia, Canada and several other countries have already adopted data localization provisions. People in favour of data localisation strongly argue that without data localisation, regulation for privacy and security will have little impact (Right to Privacy was recently interpreted as a Fundamental Right in India). These policies have also come in the wake of regular Facebook data leaks that no longer seem to be scandalous. As a matter of fact, many public and private institutions are reporting data leaks. This has only acted as an accelerator to the demands of data protectionism.
Another reason why the Indian government seems to be inclined towards localisation of data is because it will complement similar initiatives launched by the government for instance, Digital India, Make in India or Start up India, to name a few. If companies store their data in India, they will also have to build infrastructure there to do the same. Not only will this increase employment in construction and services sector, it will also allow young start-ups to use this data that will give them a competitive edge. Therefore most of the domestic start-ups / technology based companies support data localisation. Most of them are already storing their data in India. The Indian Government will complete many macroeconomic goals with one stroke if they implement data localization.
On the other hand, critics argue that it data localisation can be misused and can nurture a surveillance state like ecosystem. They also question if India has a superior data security standard than the rest of the world. They say that data stored anywhere is equally vulnerable and its safety, or lack of thereof, largely depends on the security standards of the protectorate company.
Without a doubt, there is a degree of opacity in the decisions taken by the Indian government. The Government plans to use the data of residents of India for good motives. But nowhere has it mentioned that the companies are obliged to provide this data to a third party. For India’s data policy to be in line with the goals she wants to achieve, the policy makers will have to put the terms and conditions on the platter before data localisation is proposed as a solution to the problems stated before.
Experts believe such policies can strain economic relations between India and the USA. The latter even expressed concerns over recent proliferation of digital protectionism worldwide, including data localisation. This attack was aimed at India, but needless to say, it was indirect and passive. They fear that such India’s action can trigger a Dominio Effect that might set a trend of similar policies in other countries.
India needs to strike a fine balance between her personal needs and her international relations. She also needs to make a balanced policy without hurting her image as a destination of FDIs and FPIs, most of these investments are done in companies that deal with data and data outsourcing. Then there are Indian companies that deal in the same domain but take in data from other countries and process their data. India acts as a hub of data outsourcing, a sector that employees many individuals, owning to the presence of cheap skills in India. A lot is at stake. Instability in any of the domains stated above can destabilize the Indian economy, which is already feeling the brunt of a sinking rupee.