Data Localisation

In News 

• Trade and industry bodies as well as some tech companies from the US have initiated talks with senior government officials in India to form a new working group to discuss issues related to the data protection Bill and other newer developments in India’s technology sector.

Background 

• Earlier this year, a US government delegation had raised concerns on certain aspects of cross-border flow of personal and non-personal data as well as storage of data located in servers outside Indian borders in the Bill proposed by India.
• In December 2021, the Joint Parliamentary Committee on Personal Data Protection Bill tabled its final report in Parliament. 
  • The Bill, which now includes non-personal data in its ambit, will simply be known as the Data Protection Bill.
  • One of the more contentious issues in the law Bill are the provisions pertaining to “data localisation”.

About the new group 

• The new group is likely to contain representatives from most of the big tech companies and will function differently from the currently operational India-US working group on information and communication technology (ICT).
  • The ICT was formed in 2005. The technology and Internet then was very different. That group has practically outlived its purpose. 
    • It has been believed that a new group would be able to discuss the nuances of PDP (data protection Bill) better.
  • It meets on an annual basis in India or the US to discuss various aspects of cooperation in the space of information and communication.
  • ICT mostly has representation from hardware manufacturers and software companies which provide software-as-a-service, which is not best suited for the changes that have since happened in technology.

What is Data Localisation? 

• Data localisation simply means restricting the flow of data from one country to another.
• It means that the personal data of a country’s residents should be processed and stored in that country. 
  • As of now, much of cross-border data transfer is governed by individual bilateral “mutual legal assistance treaties” (MLATs).
•  In India’s context, localisation will make it mandatory for companies collecting critical consumer data to store and process it in data centres present within India’s borders. 
  • In 2018, based on the recommendations of the Justice Srikrishna Committee, the Reserve Bank of India (RBI)  mandated companies to locally store and process sensitive data belonging to Indian users of various digital payment services. Until then, most data from India was being stored on a cloud database outside the country

Purpose of Data Localisation

• Protect the personal and financial information:
  • The main intent behind data localisation is to protect the personal and financial information of the country’s citizens and residents from foreign surveillance and give local governments and regulators the jurisdiction to call for the data when required. 
• Accessibility: 
  • This will be beneficial for law enforcement agencies in particular as they can scavenge it for proof in case of breach or threat. 
    • If it is stored outside India, access to this data will be restricted by local laws and Indian agencies will be dependent on the whims and fancies of the host-country governments for access..

• National security: 
  • Data localisation is essential to national security. Storing data locally is expected to help law-enforcement agencies to access information that is needed for the detection of a crime or to gather evidence.
    • It may also enable the better exercise of privacy rights by Indian citizens against any form of unauthorised access to data, including by foreign intelligence.
  • In the case of data being stored in countries hostile to India, say China, it can become a tool for mass surveillance
  • Data can be weaponized and Indians, especially State officials, could become vulnerable if Indian regulators were not in total control of all the locally generated data. 
• Economic benefits: 
  • The economic benefits will accrue to local industry in terms of creating local infrastructure, employment and contributions to the AI ecosystem.

Issues 

• Higher cost: 
  • Foreign firms are unwilling to comply as it would require them to spend money on infrastructure in the form of servers and buildings, and, of course, on employing local professionals to manage it.
  • Barriers to the free flow of data may hurt businesses by increasing delays and higher costs of collaborative research or partnerships outside India. 
    • Entities would need multiple separate processing centres if they serve consumers both within India and outside when a single centre would suffice.

• Misuse and surveillance of personal data:
  • Critics not only caution against state misuse and surveillance of personal data, but also argue that security and government access is not achieved by localisation.

•  Even if the data is stored in the country, the encryption keys may still remain out of the reach of national agencies.

• US concern:
  • Before its latest effort to deter India’s data localisation, the US had called the policy a ‘significant barrier to digital trade’.
    •  It wants India to eliminate trade barriers for American companies to cut the cost of doing business in India.
    • the U.S. criticised India’s proposed norms on data localisation as ‘most discriminatory’ and ‘trade-distortive’. 

•  EU’s stance: 
  • In September 2018, the EU had said in its response to India’s data protection draft bill that “data localisation requirements appear both unnecessary and potentially harmful as they would create unnecessary costs, difficulties and uncertainties that could hamper business and investments”. 
  • It added that if implemented, “this kind of provision would also likely hinder data transfers and complicate the facilitation of commercial exchanges, including in the context of EU-India bilateral negotiations on a possible free trade agreement”.

What do other countries do?

• The think tank European Centre for International Political Economy has found a surge in data localisation measures worldwide over the last decade. 
• Russia has the most restrictive regulation for data flow with strict localisation and high penalties. 
• The European Union’s General Data Protection Regulation (GDPR) does not mandate all data to be localised, but rather restricts flow to countries with a strong data protection framework.
• The China government mandates localisation for all “important data” held by “critical information infrastructure” and any cross border personal data transfer must undergo a security assessment.
• The United States leaves regulation up to the state and sector. 
  • President Donald Trump signed the Clarifying Lawful Overseas Use of Data Act (CLOUD Act) which established data sharing with certain countries.

• It is well known that Canada and Australia protect their health data very carefully. 
• Vietnam mandates one copy of data to be stored locally and for any company that collects user data to have a local office, unlike the EU’s GDPR; citing national interests

Way Forward 

• In present circumstances, it becomes important for the joint parliamentary committee currently examining the Bill to conduct a more in-depth evaluation of the localisation provisions in the law. 
  • The joint parliamentary committee ought to, ideally, identify the need, purpose and practicality of putting in place even the (relatively liberal) measures contained in the PDP Bill. 

• Further, in order for localisation-related norms to bear fruit, there has to be broader thinking at the policy level. 
  • This may include, for instance, reforming surveillance related laws, entering into more detailed and up-to-date mutual legal assistance treaties, enabling the development of sufficient digital infrastructure, and creating appropriate data-sharing policies that preserve privacy and other third party rights, while enabling data to be used for socially useful purposes.

Source:IE