Google CEO Sundar Pichai in a letter to Union IT minister Ravi Shankar Prasad, has proposed for a free flow of data across borders in order to ensure that global companies contribute to the Indian digital economy. According to Pichai, the free flow of data should also help Indian startups planning to expand globally. Of course, this data flow would have a focus on user privacy and security according to the letter.
The letter was sent across to Prasad around 5 September according to a report by PTI, on the occasion of Prasad visiting the Google campus in Mountain View, California.
The letter also comes at a time when the Justice BN Srikrishna panel has submitted its recommendations and the draft data protection bill, which highlights the need to have data localisation.
What is data localisation?
Data localisation is the process of ensuring that data held by global IT, financial or any other companies on the citizens of a country, stays within that country.
To give an example in the Indian context, companies such as Google, Amazon, Facebook and many more, are global giants with a lot of Indian users. According to the Srikrishna panel, 8 out of 10 most accessed websites in India are owned by US entities. When the government asks for data localisation, it is basically asking these companies to store the data that they have on Indian users, in data servers located in India. The idea behind ensuring data localisation is to ensure that sensitive and private data of Indian citizens is stored on Indian soil.
What does the draft data protection bill say about data localisation?
According to the Justice BN Srikrishna panel, data localisation rules are to be imposed under Section 40. Section 40(1) of the Bill imposes data mirroring requirements on personal data, with at least one copy of all personal data to be kept on a server in India. Section 40(2) allows the Central Government to specify categories of ‘critical personal data’ that cannot be taken outside India, thus imposing data localisation norms. What exactly this 'critical data' is, is yet to be finalised by the government.
The justification being offered by the committee is that data localisation should help with enabling better law enforcement, contribute to a better AI ecosystem and will prevent foreign surveillance. Another justification offered is that the cross-border data transfer via undersea cables is vulnerable to sabotage and can lead to potential economic turmoil and civil disorder.
What does the RBI data localisation mandate state?
According to the Reserve Bank of India, digital payment companies have been given a six-month deadline to ensure that all ‘payment system providers’ should store all data relating to the payment systems in India only. A ‘payment service provider’ as specified under the Circular, is any person who operates an authorised payment system, or a system that enables a payment between two persons, as per the provisions of the Payment and Settlement Systems Act, 2007.
Why do global companies want leniency when it comes to data localisation?
Data localisation means an additional investment for a lot of the companies who do not have the data stored in the country. Multinational internet companies which deal with data of Indian citizens will have to ensure that they build and maintain data centres locally to store data, which is not only a resource-intensive initiative but for many global companies, it would affect their future plans in India as increased costs pertaining to setting up local data servers would have to now be factored in.
According to this Reuters report, in a meeting organised by lobby group US-India Strategic Partnership Forum, company executives from Facebook, Mastercard, American Express, Visa, PayPal, Amazon, Microsoft and many others discussed plans to approach Indian lawmakers to discuss plans on data localisations. The RBI mandate puts a question mark over whether the data localisation rules apply only to payment gateways or payment aggregators as well. This ambiguity is preventing Apple Pay from launching in India.
There have been many instances in the past where during criminal investigations, it has been difficult to get data from a foreign entity as the servers holding the data are located outside Indian territory. The only way to obtain this data currently is via a mutual agreement between India and the foreign site. With the US-based sites, a mutual legal assistance treaty (MLAT) process is to be followed to get data from US companies, as the US law prevents its companies from sharing user data with any foreign law enforcement agencies. According to a report in The Hindu, this will not change even with data localisation norms coming into play in India.
How enforcing data localisation in today's day and age isn't feasible in the long run
At a time when operations are moving to the cloud, the need to have a local data repository seems redundant. Startups wanting to expand abroad and international startups wanting to come to India would have to ensure that they have local data servers if indeed the data localisation policy becomes a law. For big companies such as Google, Microsoft, Facebook, Amazon and others, it won't be that great a deal to have a local server in India. But it would not be practical for a lot of startups who are trying to cut on costs by investing in cloud computing, for their data storage as well as computing needs.
Data localisation also wouldn't give Indian government entities complete control in case of criminal matters. For instance, if the perpetrator is not an Indian entity, then law enforcement would still have to go through the current route of MLATs to get data on the perpetrator.
Also, let's not forget that India's IT and ITes industry has benefited from cross-border data flow and imposing a data localisation rule now, would severely affect that.
According to Eben Moglen and Mishi Choudhary of SFLC.in, data localisation can impose severe costs that override the benefits. In a past comment piece on tech2, Moglen and Choudhary argue, "In societies not governed by the rule of law, localisation amplifies the power of the organs of oppression, just as the form of "personal localisation" represented by the Berlin Wall and the Iron Curtain amplified the power of Stasi and the KGB. But for democracies, like India or the US, data localisation is altogether the wrong approach to law enforcement in digital society."
Global public policy adviser at Mozilla Corp, Amba Kak, seems to echo these sentiments. According to Kak, data localisation is an issue that's important enough to be discussed at India-US trade level. "Data localisation is not just a business concern, it potentially makes government surveillance easier, which is a worry," says Kak.
Concerns about government snooping aside, does India even have the infrastructure to house that many data centres? According to this report in Mint, over 80 percent of India's data centre supply is concentrated in five cities, and a government panel has been appointed to identify 20 locations which would be conducive to hosting data centre infrastructure.
There are many issues pertaining to data localisation in the current scheme of things.