This article is written by Shruti Kulshreshtha pursuing B.B.A.LLB from Symbiosis Law School, Hyderabad. The article analyses the importance of data localisation and the issues concerning it.
In order to reap the benefits of a digitised economy, it becomes crucial for data to flow freely. Although it is true that data is a pivotal part of our lives, the world is progressively observing strains in preserving personal data and the possibility of misuse of such information. One remedy for this is data localisation. A full-fledged data protection legislation is still a dream for India, however, data localisation is a stepping stone towards it.
What is data localisation?
Majority of the time, personal as well as financial data is collected by websites while using our credit cards or for opening a Netflix account etc. Up till today, all this information is stored in a cloud created by the companies, which is situated outside the country. The concept of data localisation refers to the process of storing data within the boundaries of the country thereby processing it locally, that is, within the home country. For instance, the data which was created in England should be present and processed in England itself rather than a foreign country. The need for data localisation has emerged due to the pressing issue regarding the security and privacy of data, which comes at risk once it leaves the country’s borders. Data localisation will enable the enforcement of local data privacy legislations.
Importance of data localisation
The government of 1991 focused on globalisation and liberalisation so as to make the world a global village. But, the Narendra Modi government has launched various projects in order to enhance localisation and for the promotion of the domestic market. The schemes such as Start up India and Make in India have set out the pillars of the new age Indian economy, aiming at the requirement of the next pillar, data.
The potential grounds on which the governments of developing countries worldwide, including India, are keen to localise the data are listed below:
Protection of personal data
Localisation of data is predominant in the political scenario since the modernisation of the political world. The latest axiom prevailing in the market is ‘Data is the new oil’ meaning thereby that data can prove to be the treasures of an economy. The personal and financial data which is available on cloud is subject to foreign surveillance. In the outset of the current data scandals and the revelation made by Cambridge Analytica (who are alleged to influence voting outcomes based on available data), governments around the world have started to realise that protection of data is in the hands of the country itself and has now become an absolute requirement.
Storing data at a local location can ease the access of such information by the authorities when they require it. Justice Srikrishna Committee Report also pointed out that storing data locally is crucial for the purpose of law enforcement, without investing in any extra measures.
Law enforcement agencies often require information while investigating crimes. Local storage of data can help these authorities to access it in a timely manner. However, if such information is not stored locally, then these agencies acquire data with the help of Mutual Legal Assistance Treaties (MLATs), which authorises them to obtain access. MLATs are treaties signed by different countries to aid each other in the legal processes of their own country. However, this process delays the investigation of crimes.
Economic competitiveness and taxation
Developing nations like India would have a competitive edge for their local companies, if they have localised data. Since data will not flow to foreign countries and stay within the country, it can create an information asymmetry that will be profitable for the local companies. If a country’s data is considered to be a national resource, then the government can tax the revenue generated from that data. This will be similar to taxation on the inflow and outflow of goods and services. Job opportunities within the country will rise for the data analytics sector and thus, the country will develop economically.
Imbalance in the playfield
The regulatory playing field in the technological sector of a developing country and a developed country are wide apart. This might prove to be disadvantageous to the developing nation. The member states of the World Trade Organization’s General Agreement on Trade and Services, offer a level playing field irrespective of nationality. India is a member of this Agreement of WTO.
The issues around data localisation
Despite the demand for localisation of data, the government faces numerous issues, starting from the development to implementation of norms. The following are the challenges revolving around data localisation:
- If data is stored within the country, then the government will have to work on the functioning and effectiveness of payment system operators and incur a much higher operational cost than usual. In case of cross border transactions, data has to be stored at two places, which means double operational costs. This will result in an additional financial burden on the government and the consumers will likely have to incur this extra cost.
- Data localisation can catalyse governmental control and surveillance of its citizens. There is always a possibility of formation of stringent norms pertaining to localisation of data which can lead to excessive regulation affecting the role of innovation in a vibrant economy.
- In the case of developing countries like India, there exists a lack of proper infrastructure required to collect and manage data. Localising data can avoid the foreign misuse but it cannot escape the threats and risks involved in domestic management of data. An inadequate infrastructure can hamper the paramount objective of localisation, i.e., security. Eradicating setting-up barriers is quintessential for smooth trade.
- Companies, specifically start-ups, will face huge financial stress since data localisation shall entail additional investment, in the form of servers, cooling costs, USPs, generators, business and personnel. Not only this, investment in terms of time will also be affected by this. Hence, companies might be reluctant to accept and enforce the norms of data localisation.
- The concept of data localisation is antithetical to the free flow of information, the basis of the internet. Imposition of taxes, excessive regulation and undue leverage of protectionism policy can obstruct free flow of data.
India’s rules in place for data protection
India’s business environment is highly dynamic in nature and calls for a system that caters to the need of data protection. The Government of India is attempting to stimulate localisation and cross border transfer of data. In the 14th G20 Summit, India supported data localisation. It has also received support in the United Nations Conference on Trade and Development. In April 2018, the Reserve Bank of India issued a circular stating that payment system operators shall store the entire financial data within the territorial jurisdiction of India only. 80% of the companies complied with this rule before the deadline 15th October 2018. RBI further clarified in June 2019, that if data is processed outside India, then it shall be brought back within 24 hours and shall be deleted anywhere else. In case of cross border transactions, a copy of such data can be stored. Currently, RBI is the only rule-maker for payment systems in India. RBI also enlightened operators about the type of data that needs to be stored in India which is, customer name, payment sensitive data and transaction data.
Thereafter, The Ministry of Electronics and Information Technology, Government of India, formed a committee under the chairmanship of retired Supreme Court judge, Justice B.N.SriKrishna. The committee aimed at comprehending and formulating data protection laws and draft a Personal Data Protection Bill, 2018.
Key highlights of B N Srikrishna Committee report on data protection
Following are the observations and recommendations made by the Srikrishna Committee:
- Jurisdiction and Applicability: The jurisdiction of this law extends to personal data if it has been used, shared, disclosed, collected or processed in India. Also, the law shall apply to companies incorporated under the Company law, irrespective of the location of data processing within India. The bill gives power to the Central government to exempt companies which are solely engaged in processing of personal data of foreign nationals not present in India. The bill is not retrospective in nature.
- The Data Protection Authority (DPA) shall be constituted as an independent regulatory body for the effective management of data protection laws. The authority is responsible to ensure compliance of data protection framework by companies, governments and data fiduciaries. The DPA will draft a Code of Practice and take actions accordingly.
- Personal data should be processed only if the reason for processing is ‘Clear, Specific and lawful’. The government is permitted to process personal data if it is able to prove that such processing is crucial for the functions of the Parliament of the State Legislatures. State can also process personal data without consent for the maintenance of law and order, public interest or in an emergency situation.
- Another recommendation made by the committee is granting the right to be forgotten to data principals or those whose personal data is being processed. This implies that the data principals will be at liberty to restrict the display of their personal data. This can be done only when the purpose of processing of data is completed or if the data principal annuls the consent for display of such data.
- Personal data shall be stored within the territorial jurisdiction of India and transfer of such data is subject to safeguards. However, personal data which is critical in nature can only be processed in India. Cross border transfer of data can be done by way of model contract clauses which have obligations of the transferor and transferee.
- The Aadhar Act should be amended in order to bolster data protection. This shall include new penalties under the Act and autonomy to Unique Identification Authority of India (UIDAI).
- The Committee has recognised 50 legislations which tend to overlap with the present data protection bill. Necessary amendments need to take place.
- Chapter 6 of the Report is a cost benefit analysis done by the committee upon the implementation of the recommendations made in the report. It states that this bill will reduce costs of acquiring data; ensure security due to reduced use of fibre optic cable; boost the information infrastructure and ensure sovereignty.
Draft National E-Commerce Policy, 2019
The Department of Industry and Internal Trade published a draft on National E-Commerce Policy in 2019. This policy framework supported data localisation and recommended a 23-year period for the non-enforcement of the data localisation laws so that the country’s industries can adjust before these laws become mandatory. This Policy states that operators who follow localisation of data should be incentivised. To decrease loss of revenue, the government should be given the source codes and algorithms. It includes different perspectives, for example, information created by consumers using different social stages, for example, social platforms, web based business and community data (through IoT) gadgets.
Status of Data localisation in other countries
The Government Directive 82 of 2012 established that all operators dealing with public services shall set up a data centre in Indonesia itself. However, this regulation was relaxed in 2019 vide Regulation 71 wherein this rule applied only to public bodies.
As per Vietnam’s law on cyber-security, electronic operators who collect or process personal data shall retain a copy of such data for a specified period of time and foreign companies engaged in such business should have a branch office in Vietnam.
China has established strict norms that promote data localisation. Reports say that the rules in China and Vietnam pertaining to data localisation are similar and both of the countries are focused on governmental control on data.
The United States of America does not have any data protection laws at the federal level. Nevertheless, they have individual laws such as Health Insurance Portability and Accountability Act, 1996 etc.
The EU has not adopted data localisation restrictions and approved to follow free flow of data through cloud computing.
The need for a long term and full-proof strategy for data protection is still in the search and many studies believe that data localisation can be done. Reliance consented to the government’s data localisation policy, however, the majority of the companies are not ready for such a colossal change in the data protection framework. This reveals that the government should take steps in a phased manner so that consumers are able to settle slowly without any major damage to the economy. Sufficient attention needs to be invested in the infrastructure, India’s Information technology-enabled services and Business Process Outsourcing for cross border flow of data.
LawSikho has created a telegram group for exchanging legal knowledge, referrals and various opportunities. You can click on this link and join: