WE NEED A COST-BENEFIT ANALYSIS OF DATA LOCALIZATION

Context:

  • The recent furore over data localization in social and print media due over the claim that the provisions in Draft Personal Data Protection Bill were being watered down to apply only to critical personal data.

Introduction:

  • Data localization is a measure adopted to give countries increased control over the data belonging to their citizens and residents.
  • Due to the transient and pervasive nature of data on the internet, its security is constantly threatened and indeed been breached at several instances.
  • Data localization is therefore conceived as means of enforcing data protection regime to secure data of the citizens and the critical interests of the nation state.

What Does Data Localization Mean?

  • Data localization is the act of storing data on any device that is physically present within the borders of a specific country where the data was generated instead of allowing them to cross borders for processing.
  • Localisation mandates that companies collecting critical data about consumers must store and process them within the borders of the country.

Data Localization – A Worldwide Perspective

  • Every modern privacy law has regulations that limit the transfer of data out of the country

1. European Union – Adequacy Test

  • It applies an adequacy test, only allowing data to be transferred to countries that have at least the same level of data protection as the EU.
  • Even within a group, data can only be transferred to companies in other countries if they have agreed to a set of binding corporate rules that apply EU privacy principles to intragroup data transfers.
  • Transfers out of the group are only allowed if the transferee agrees to standard contractual clauses that have been pre-approved by EU data regulators.

1. China:

  • China relies on a certification process that only allows data to be transferred abroad if the recipient has been approved and its data protection practices (with respect to storage, processing and protection) certified as meeting the prescribed standards.

2. Bilateral Agreements:

  • Some countries have set up bilateral agreements for the transfer of data and the best known of which is the US-EU Privacy Shield.
  • It was arrived at in order to allow personal data flows between the US and the EU, even though US privacy laws were not adequate from an EU perspective.

3. Multilateral Agreements:

  • The APEC Cross Border Privacy Rules system allows the free flow of data between organizations in signatory nations based on certifications issued by accountability agents situated in each such jurisdiction.
  • At the G20 summit in Osaka, Japan proposed a multilateral arrangement called “Data Free Flow with Trust” that proposes an inter-jurisdictional cooperation regime for information sharing, investigation and cross-border enforcement.

Key features of Data Localisation (Worldwide)

1. Partial Restrictions on Data Movement:

  • Sovereign nations have always found ways to exercise sovereignty over the personal data of their citizens.
  • This has usually taken the form of restrictions on the movement of data across national borders.
  • Businesses that operate transnationally are accustomed to this. They are used to frequent reorganization of their operations to comply with the latest restrictions imposed on the data.

2. Conditional Transfer Restrictions:

  • The primary purpose is to set out the grounds under which data can flow between nations.
  • It is implied but left unstated is that if any or all of the conditions of transfer are not satisfied, the data that is sought to be transferred will have to be processed domestically.
  • This means that even if not explicitly stated, all modern privacy laws have default localization provisions.

Policies that imply data localization in India:

1. Srikrishna Committee Report:

  • Atleast one copy of personal data will need to be stored on servers located within India.
  • Transfers outside the country will need to be subject to safeguards.
  • Critical personal data will only be stored and processed in India.

2. Draft National E-Commerce Policy Framework:

  • Recommended data localisation and suggested a two-year sunset period for the industry to adjust before localization rules becomes mandatory.
  • Proposes incentives to encourage data localization and grant infrastructure status to data centres.

3. Other Policy Frameworks:

    The other Policy Frameworks that recommend data localization are:

    • Draft National Digital Communications Policy 2018
    • Guidelines for Government Departments for Contractual Terms related to Cloud Storage 2017,
    • Draft e-commerce policy and the draft report of the cloud policy panel show signs of data localization.

Why data localization is necessary for India?

  • Digital technologies like machine learning (ML), artificial intelligence (AI) and Internet of Things (IoT) can generate tremendous value out of various data. It can turn disastrous if not contained within certain boundaries.
  • Right to privacy: Recent judgement of Supreme Court in K.S Puttaswamy vs. Union of India made it clear that right to privacy is a fundamental right. Protecting and preserving the personal data becomes imperative in this regard.
  • With the advent of cloud computing, Indian users’ data is outside the country’s boundaries, leading to a conflict of jurisdiction in case of any dispute.
  • Data localization is an opportunity for Indian technology companies to evolve an outlook from services to products. International companies will also be looking at the Indian market, and this will benefit the growth of the local ecosystem.
  • More data centres in India could mean new, power-hungry customers for India’s renewable energy market. That means Data localisation could boost India’s renewable energy.

India’s approach towards data sovereignty:

  • Every other country has recognized data transfers as the norm, permitting the free flow of data across borders and only applying restrictions to either address inadequacies in the legal regime or in the privacy practices of the recipient.
  • But India has made localization the default, prohibiting the movement of data across national borders in all but a limited number of circumstances.

Way Forward:

  • Ever since economic liberalization, India has been an active participant in global trade, a veritable poster boy for free trade and the cross-border flow of goods and services.
  • So precisely this attitude of openness, this willingness to trade with everyone, that is the reason why we have been the recipient of such vast inflows of trade and foreign direct investment.
  • Given our reputation for openness, this approach of requiring data localization by default seems somewhat out of character.
  • So, everything we think we’ll get by localizing data can just as easily be achieved through the careful application of restrictions on cross-border data transfers.
  • All we just need to do is to look at the problem from a different perspective.
Share Socially