With an Eye on User Privacy, India Strives to Store Data Locally
Reports suggest that cross-border data flows contributed $2.8 trillion to the global economy in 2014, which is expected to touch $11 trillion by 2025. However, many governments have been inclined towards restricting cross-border data flow and mandating localisation of certain data.
Corresponding to many other countries, the political narrative in India also seems to be tilting towards data localisation. This may be gauged from recent developments in the country’s regulatory and policy frameworks on data governance, which may compel companies to set up their data centres within Indian shores.
It remains to be checked whether curbs on cross-border data flows will lead to the anticipated enhancement of data privacy, sovereignty and security, or are we merely heading towards a Walled Wide Web without meeting these objectives?
Policy goals set in the Draft National Digital Communications Policy 2018, along with various government notifications and guidelines such as Reserve Bank of India’s notification on Payment Data Storage 2018, and the Guidelines for Government Departments for Contractual Terms related to Cloud Storage 2017 show signs of data localisation.
The rationale behind such mandates has been attributed to various factors, such as: securing citizen’s data, data privacy, data sovereignty, national security, economic development of the country etc. The extensive data collection by technology companies, due to their unfettered access and control of user data, has allowed them to freely process and monetise Indian users’ data outside the country.
This has raised data protection and privacy concerns. Furthermore, the advent of cloud computing raises important questions on accountability of service providers who store Indian users’ data outside of Indian boundaries, leading to a conflict of jurisdiction in case of any dispute.
Also, minimal or deregulated governance on critical data, due to absence of localisation requirements, could be detrimental to India’s national security as data would be outside the purview of existing data protection legislation.
India’s Growth Conundrum
In addition to these, India also aspires to grow as a global hub for cloud computing, data hosting, international data centres etc., all of which are prompting the government to enact data localisation requirements for accelerating the nation’s economic growth, especially in the sphere of digital technologies.
Though these policy goals are noble, a deeper analysis is required to determine the possible adverse spill-over effects on relevant stakeholders, in case of adopting a faulty roadmap to achieve them.
Adequate attention needs to be given to the interests of India’s Information Technology Enabled Services (ITeS) and Business Process Outsourcing (BPO) Industries, which are thriving on cross-border data flow.
The possible rise in prices or unavailability of foreign cloud computing services in case of a data localisation mandate, and its impact on Medium Small and Micro Enterprises (MSMEs), as well as start-ups relying on these services must also be counted for.
Domestic and foreign businesses engaged in developing data driven new age technologies such as Internet of Things and Artificial Intelligence may also find it hard to comply with data localisation requirements.
Another area of caution for policy makers is to prepare adequate ground through holistic analysis, before mandating data localisation, especially on devising an optimal regulatory and legislative framework for data processors and data centres operating in the country.
Adequate infrastructure in terms of energy, real estate, internet connectivity etc also needs to be made available for India to become a global hub for data centres. Promoting confidence in users without sacrificing expectations of privacy, security, and safety must also be worked upon.
The Right Way Forward
With the BN Srikrishna Committee’s ‘recommendations on the data protection legislation’, and the Telecom Regulatory Authority’s ‘principles on data ownership, security and privacy’ expected soon, the emerging trend of cross-border data flow restrictions becomes worrisome.
While the government’s policy goals are certainly having the right intention, adoption of the age-old route of protectionism for their realisation may not be appropriate. Formulating policies that create boulders in cross-border data flows should not be promulgated unless backed by adequate and inclusive research on its multi-faceted impact on relevant stakeholders.
Also, the possibility of triggering a vicious cycle of data localisation requirements by other countries as a response to India’s possible data localisation mandate will be detrimental for the global data economy.
Governance of cross-border data flows has only begun to set foot and it must be nipped at the bud, lest ‘the Information technology which has been one of the leading drivers of globalisation, becomes one of its major victims!’
Enhanced cooperation between all stakeholders in the global arena, through prolific debates, may pave the way ahead for deciding the fate of cross-border data flows, without compromising on data privacy, security and sovereignty.
(The author is a senior research associate at CUTS International. This is an opinion piece. The views expressed above are the author’s own. The Quint neither endorses nor is responsible for them.)