This article has been written by Sankara Narayanan, pursuing a Diploma in US Technology law and paralegal studies from LawSikho. It has been edited by Smriti Katiyar (Associate, LawSikho).
Data localization is very important as storing, processing, and controlling data transfer constitute emerging fields of business in Information Technology. Data localization refers to the physical storage and processing of data in the local boundaries of a country or the local jurisdiction. Different countries have constituted data transfer policies to regulate the free flow of data collected by both private and government agencies due to various types of security issues and data privacy concerns. Reserve Bank of India (RBI) in April 2018 notified all financial organizations including credit card companies, providing payment services operating in India such as Mastercard, American Express, Diners Card, etc. to conform to the guidelines of data localization to store and process data in India. Many credit/debit card companies have complied with the guidelines, but many international credit/debit card companies have not fully complied with the requirements. Therefore, RBI has put an initial restriction on Mastercard and others not to register any new customers and issue credit/debit cards to Indian consumers from 22nd July 2021. The main contention of the credit card companies is that data localization would cost them more to do business in the competitive markets of India. RBI has not heeded any such concerns and went ahead with an indefinite ban of registering new customers by Mastercard in India.
Importance of data security
Data security is important and if it is not regulated within the limits of local jurisdiction, it may allow third parties to invade the privacy of individuals thereby infringing their liberty without any recourse to legal remedy. Data is now considered an expensive commodity and data can be used for the economic benefit of companies. In the new era of digital storage of data and when that data is properly processed becomes ‘big data’ which is a new form of wealth and often called ‘new oil’. If the data is allowed to be stored and processed on boundaries outside a country, then the government shall not be able to restrict manipulation and misuse of the transferred data.
If the data is not stored locally and allowed to be stored and processed elsewhere the data can be misused by the culprits and cannot be brought to the justice system of the particular jurisdiction due to differences in the cross-border legal framework. Companies may use personal data for their economic benefit without considering the personal right or liberty of people in a country where they can evade that country’s rules and regulations.
Data localization is the collecting, storing, and processing of data on a physical storage device located within the boundaries of a country where the data is collected from individuals. Processing and storing data requires complex hardware and software as well as special infrastructure. Many companies use overseas storage devices, especially the ‘cloud’ which are located in different jurisdictions that provide legal and economic advantages.
Advantages of Data Localization Policies
Through data localization, personal data can be secured and protected from foreign surveillance. Personal data protection is a fundamental right and if the data is allowed to be stored in a foreign jurisdiction it is amenable to monitoring by foreign security agencies. Data localization ensures easy investigation for national security issues as to get assistance from foreign agencies only through signing Mutual Legal Assistance Treaties (MLAT). When data is stored locally, local enforcement agencies can monitor suspected data for economic crimes. Storing the data locally allows the government and regulatory authorities to call for any details when they require it. Data storage and processing is a growing industry and new employment opportunities are created for the people in the country. Once the data localization policy is formulated, greater accountability can be imposed on corporations and companies and strict measures for violation of data privacy breaches can be enforced. Data localization policies shall minimize the conflict in a jurisdiction that is normally associated when data is stored abroad.
Disadvantages of data localization
While there are many advantages to data localization, there are disadvantages too. The cost to maintain multiple data storage locally requires high investment and expertise. For efficient data storage and processing, it requires top-quality infrastructure and availability of power without interruption. Even if data is stored locally by companies, the encryption codes may not be available for the local law enforcement agencies. A strict policy on data localization may bar the entry of competitive service providers from abroad.
International Perspective on Data Localization
Various countries have implemented or are in the process of formulating a legal framework on data localization rules and regulations.
China has a strict data localization policy that stops data flow between China and other countries across the globe. China restricts access to certain websites and even restrictions of data based on trade perspective and requires certain types of information to be located within mainland China including financial and health or medical information. Cybersecurity law in China also requires certain types of organizations to conduct security assessments before transferring personal data abroad.
Japan’s localization of data policy requires patients’ personal and medical care records to be stored within the country.
Australia requires certain health information of individuals to be stored only locally.
Provinces in Canada such as British Columbia and Nova Scotia, require personal information maintained by public bodies such as hospitals, schools, and government departments to be stored locally unless explicit consent is obtained from the individuals. Individuals may choose to transfer such data outside of the country and allow it to be accessed by a third party.
Russia has one of the most extensive data localization policies among all countries. Russia’s data law requires all personal data collected from citizens must be firstly processed and stored only locally. Once it is physically stored locally, it may be transferred abroad for certain purposes.
The European Union (EU) comprises various countries in Europe and data localization policy is a contentious problem as France and Germany suggest localization policies in certain sectors while Sweden is pushing for free flow of data across the world. EU law on personal data protection allows the transfer of data to third countries only if the EU has verified adequate protection measures in that country.
The US suggests the free flow of information as all the major data storage companies such as Amazon, IBM, Google, etc are based in the USA. The US has a data privacy protection act that regulates the personal data being misused.
Data localization Policies in India
India is one of the fastest developing economies in the world, data localization policy a paramount concern, not only due to undue economic benefits drawn out by corporates and companies but also from the national security standpoint. In the absence of a data localization policy, the data can be stored by companies at various locations of their choice and will be out of reach of the Indian law enforcement authorities when such data privacy is breached or under the surveillance of foreign agencies.
The Indian government appointed Justice B. N. Srikrishna as the chairman of the expert committee for recommendations on data localization policies in 2018. The committee submitted its draft proposal for the Personal Data Protection Bill. The government introduced the 2019 bill in the Indian Parliament which is still pending to be enacted. The bill proposes a data localization and data protection legal framework for various economic sectors. The main objectives of the bill are to increase economic growth and employment, prevent external surveillance of data, personal data security and permit access of personal data by law enforcement agencies, and effective enforcement of data protection laws.
The data protection bill envisages the idea that the right to privacy of an individual is a fundamental right and protection of personal data is of paramount responsibility in the information technology era. A regulatory authority shall be able to take necessary actions in the dynamic world of digital technology to update the regulations from time to time, regulate the misuse of personal data as well as guidelines for overseas transfer of personal data. The Union Government may notify different categories of personal data and limit the data to be processed outside India.
Data localization policies have been implemented in major sectors such as the telecommunication and banking industry. Telecom operators in India must conform to the storage and process of subscriber’s data locally and restrict the transfer and storage of such data overseas. RBI has issued guidelines to the banking sector that all financial transaction and payment-related data be stored in India with permission to process the data overseas.
While India is yet to enact the data protection bill, Indian regulatory bodies such as the telecommunication regulatory authority have already mandated the telecom operators operating in India to store the personal data of subscribers locally. RBI, the regulatory body for the banking and financial sector requires licensed banks and payment system providers to store the data and personal information of customers locally but also allows them to store data abroad if certain criteria are met.
India may have to take initiative to facilitate world-class infrastructure and partner with organizations that are willing to co-operate and conform with Indian laws and regulations so that dependencies on foreign data storage companies can be minimized and save the cost in the long run. To better protect the national interest, the data protection bill should be enacted at the earliest with necessary changes, and the regulatory authority should be constituted for the implementation of data policies and regulate the data market.
Mastercard in India was given enough time i.e from April 2018 to conform to RBI guidelines. Their contention of additional cost and investment requirement for the data localization to be implemented is unreasonable as Mastercard holds over 31% payment service market share in India. All corporations or companies operating in India should conform to the guidelines issued by the regulatory authorities. International corporations and companies such as Mastercard cannot seek an exemption from abiding by the regulations on the pretext of any cost escalation.
Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skills.
LawSikho has created a telegram group for exchanging legal knowledge, referrals, and various opportunities. You can click on this link and join: