Govt's Plan to Relax Data Localization Norms Sparks DebateSecurity Leaders Discuss Impact of Proposed Change
Even as companies such as Tik Tok, Visa and MasterCard gear up to establish local data centers in India to comply with the demand for data localization, the Government of India is mulling a change in its stance. In a new development, the proposed (draft) Data Protection Bill will now be tweaked to allow personal information which is not "critical" nor "sensitive" to be stored and processed anywhere in the world, while only data classified as critical would be kept solely in India, according to a report in the Financial Express.
See Also: The Evolution of Email Security
ISMG reached out to an official in the Ministry of Electronics and Information Technology, who neither confirmed nor denied the report, but said that a decision will be taken keeping in mind industry needs as well as data protection requirements. "Under any circumstances we will not compromise on data security of our citizens. We are working out the best possible solution which will not hurt either the industry or the citizens," says the minister requesting anonymity as he is not authorised to speak to the media.
Ever since the committee headed by Justice Srikrishna announced its suggestions on data localization in July 2018 there has been a significant debate around the topic. The original draft of the Personal Data Protection Bill, 2018 had suggested that a copy of all personal data be stored in India, while "critical" information had to be mandatorily stored only in the country.
However, companies such as Facebook, WhatsApp and others have since opposed the move, with the U.S. and EU governments saying data localization would impact trade ties with India. "As a matter of economic policy, such an approach (data localization) will create significant costs for companies - in particular, foreign ones - linked to setting up additional processing/storage facilities, duplicating such infrastructure etc and is thus likely to have negative effects on trade and investment. If implemented, this kind of provision would also likely hinder data transfers and complicate the facilitation of commercial exchanges, including in the context of EU-India bilateral negotiations on a possible free trade agreement," Bruno Gencarelli, the head of International data flows and protection at the European Commission, had said.
The proposed change, if it happens, will likely be a relief to foreign companies that have argued that data localization would lead to increase in cost without actually guaranteeing more data security. Even though India is a big market for many companies and can afford to exert its might globally, data localization would also impact its software industry, which relies heavily on cross border data transfer.
Understandably, the proposed change in government stance creates polarized opinions, with some observers supporting it, while others request that the government not "give in to pressure" from Western lobbyists.
Against this backdrop, government officials in a recent meeting, along with experts from the SriKrishna committee, have decided to hold further discussions on the matter.
The Positives of Data Localization
Given the position of Indian government as reflected in various regulatory policies and the draft data protection bill, stakeholders have expressed concerns around any mandated blanket data localization approach, which is increasingly seen as a panacea for problems ailing national security, applicable jurisdiction, timely access to data by law enforcement agencies, etc.
In an interaction with ISMG earlier this year, Justice Srikrishna clarified his stand on data localization and said the step was needed to help law enforcement in rising cyber incidents, as well as protecting the privacy rights of Indian citizens. "We have seen multiple cases where for years a simple case could not be closed because required data is stored on servers which are located beyond our borders."
Prashant Mali, cyber lawyer at Bombay High Court, while supporting complete data localization across all industries, says it is needed to give faster justice to people who have been defamed online or fallen prey to cybercrimes. "Data localization means having the sovereign data in sovereign borders protected by local laws. Anti-data localization policy organizations are on the prowl. We need to have a strong counter front," says Mali.
Absolutely correct. US Tech giants need Indian market access and they need to play by Indian rules. GOI needs to stand firm on #datalocalisation— Shashidhar CN (@cns1900) July 28, 2019
Statistics show that number of cybercrime cases in India has been steadily rising. In 2018, Bangalore saw, 5035 complaints registered at the lone cybercrime police station in the city. Maharashtra saw 2,945 cases were registered in the state till September 2018.
Reliance Jio, the telecom unit of Reliance Industries, supports the requirement and a framework for data localization to ensure cyberattacks are prevented. In its annual report, it said recently that Jio is a strong supporter of local storage of data, which is critical for national interest and security. It also added that Jio believes Indians are true owners of their data, and ownership should not be transferred to any corporate entity.
Cons of Localization
Multiple experts and security practitioners from various industries - especially ones headquartered abroad - have questioned the logic behind storing all data across industries locally. While all agree that critical data such as payment data and other sensitive information needs to be stored and processed in India, they argue that a blanket requirement for every industry is impractical.
Rahul Matthan, fellow with Takshashila's Technology and Policy Research Programme, questioned the need to have complete data localization or the necessity to store mirror image of data locally. "I doubt if data localization in any way will lead to more security of data," Matthan says. "While storing sensitive personal data locally makes sense, one can't have a blanket requirement for every industry."
"We need to find a balance between all the benefits that data gives us. We are not going to solve this problem by being too prescriptive about it," Matthan says.
Experts say the key is to balance privacy and industry needs. "Mandating local storage of all personal data of Indians by all platforms and services operating globally can turn to be counterproductive that could result in some platforms and services boycotting India," says Rahul Sharma, founder of The Perspective, a firm that focuses on policy making. For instance, many news websites operating out of U.S. have geo-blocked EU-based IP addresses as they didn't want to subject themselves to GDPR.
"Data localiization will lead to increase in cost of operations and compliance that impacts businesses, restricting the ability of companies to opt for partners and solutions that process data outside India. It will also impact Indian IT and BPO industry which relies on cross border flow of personal information if other countries reciprocate," Sharma says.
According to statistics available, the Indian IT services industry contributed 54.4 percent of total India's total gross value added services in the year 2018. According to CIA Fackbook's 2017 data, India's services sector contributes 61.5 percent to the country's GDP.
One of the strong arguments against complete localization has been the high cost. A study by Leviathan Security Group, a U.S.-based cybersecurity company, has found that data localization has always resulted in increase in cost. For example in Brazil, a company would pay 54.65 percent less by using cloud servers outside of Brazil. Similarly, businesses that move their servers outside the European Union could save more than 36 percent on their server cost.
Experts are waiting for the bill to be chaired in the Parliament and agree that nuanced detailing on localization and cross-border data flows provisions should follow after a detailed study on pros and cons.
Prasanth Sugathan, legal director at Software Freedom Law Center, a non-profit organization based in New Delhi that promotes innovation and open access to knowledge, believes that the privacy problem will not be solved by hosting servers in India. "What is needed is a strong privacy law. For instance, the law must clearly mention under what circumstances can the government have access to citizens' data," says Sigathan.