Insights into Editorial: What is India’s stand on data storage?
Facebook’s Mark Zuckerberg recently expressed apprehension about nations wanting to store data locally.
According to him, it gave rise to possibilities where authoritarian governments would have access to data for possible misuse.
In recent, the U.S. criticised India’s proposed norms on data localisation as ‘most discriminatory’ and ‘trade-distortive’.
India is at a juncture where various bills are ready to be signed into law that will set data localisation and protection regulations in stone.
What is data localisation?
Data localisation laws refer to regulations that dictate how data on a nation’s citizens is collected, processed and stored inside the country. It is also known as data residency.
There are many advantages of it, mainly we can classify them into 3 categories i) Law enforcement and other state duties ii) Socio economic development iii) Boost the start-ups and e-commerce.
The data protection law is designed to limit the processing of personal data to legitimate reasons where the flow of information is beneficial and respects autonomy of the data principal.
Data protection laws proposed in past:
Data localisation put out by the Justice Srikrishna Committee report last year, a few key ones are:
- Data localisation is critical for law enforcement.
- Access to data by Indian law agencies, in case of a breach or threat, cannot be dependent on the whims and fancies, nor on lengthy legal processes of another nation that hosts data generated in India.
For Instance, If data generated in India is stored in the U.S, it is dependent on technology and channels such as the undersea fibre optic cable network. In that case, there might be a chances of a tech or physical breakdown.
Therefore, the report recommends that hence, at least a copy of the data must be stored in India.
- It may not be wise for India to have the liberal rules as other nations would.
- A key observation of the report is that it is ideal to have the data stored only locally, without even having a copy abroad, in order to protect Indian data from foreign surveillance.
Does India have rules in place for data protection?
- Currently, the only mandatory rule on data localisation in India is by the Reserve Bank of India for payment systems.
- Among material available in the public domain on data localisation is the white paper that preceded the Jusitce Srikrishna Committee report.
- The second piece is the Draft Personal Data Protection Bill, 2018 itself which has specific requirements on cross-border data transfers.
- The draft e-commerce policy also has clauses on cross-border data transfer.
- For example, it suggests that if a global entity’s India subsidiary transfers Indian users’ data to its parent, the same cannot be transferred to a third party even with the user’s consent.
- It is well known that Canada and Australia protect their health data very carefully.
- Vietnam mandates one copy of data to be stored locally and for any company that collects user data to have a local office, unlike the EU’s GDPR; citing national interests.
- China mandates strict data localisation in servers within its borders.
- International reports refer to data protection laws in Vietnam and China as being similar, in that they were made not so much to protect individual rights as to allow government to control data.
- Brazil, Japan, Korea and New Zealand have put in place data protection laws.
- Chile has recently announced the setting up of an independent data protection authority, while Argentina is currently reforming its privacy legislation.
Response by developed countries on India’s data protection draft bill:
In September 2018, the EU had said in its response to India’s data protection draft bill that “data localisation requirements appear both unnecessary and potentially harmful as they would create unnecessary costs, difficulties and uncertainties that could hamper business and investments”.
It added that if implemented, “this kind of provision would also likely hinder data transfers and complicate the facilitation of commercial exchanges, including in the context of EU-India bilateral negotiations on a possible free trade agreement”.
For companies from one country doing business in another, it becomes cumbersome to have two different compliance levels.
Data localisation is essential to national security. Storing of data locally is expected to help law-enforcement agencies to access information that is needed for the detection of a crime or to gather evidence.
Where data is not localised, the agencies need to rely on mutual legal assistance treaties (MLATs) to obtain access, delaying investigations.
India has a stronger bargaining chip than most nations in pushing for data localisation — access to its billion-strong consumer market.
There will be ample of information for intelligence agencies, they may not waste their more time and energy and also there will be no fear to those officers to get information illegally if this law comes into existence.
Data is a two sided coin, in heads its showing a global flow of $2.8 trillian in 2014 and expected to reach $11 trillian in 2025 and in tails side breach of fundamental rights like privacy – Article 21 ( puttaswami vs union of india) and right to profess and practice once desired profession also indirectly impacting along with national security problems.
In this complex situation Government should frame a strong data policy which can utilise economic benefits and which can uphold its citizens rights and national security interests