Data localisation, in general, refers to the process of physical storage of data within the national boundaries of the country, where its processing is done at the local level, within the country, governed by the laws of the land.
India’s mandatory data localisation position has garnered support from United Nations-backed bodies, marking a shift towards genuine concerns as expressed in many quarters. The United Nations Conference on Trade and Development (UNCTAD) in its Digital Economy Report 2019, observed that governments may choose to restrict data flow for the reasons of privacy of data and protection of their citizen’s interest in security and development.
The report further stressed- “the only way for developing countries to exercise effective economic ‘ownership’ of and control over the data generated in their territories may be to restrict cross-border flows of important personal and community data.” It argued localisation of data was necessary as in the absence of any global agreement for recognising ownership of community data, once the data leave the country of origin, the notion of ownership becomes largely blurred.
In this article, we shall be discussing data and various debates, perspectives of the constitutional aspect of rights of citizens, efforts securing the national interest. Further, this article covers other significant dimensions, keeping in mind the demands of the preliminary as well as the main examination of the UPSC IAS Exam.
Why Data Localization is in the news?
In recent months, discussions on data and various steps to follow the guidelines issued by the government to the social media giants, payment solution providers, agencies and intermediary MNCs storing data have been in the news. Further, in the recent past, the Reserve Bank of India issued a circular stating that payment system operators shall store the entire financial data within the territorial jurisdiction of India, and later clarifying, that if data is processed outside India, then it shall be brought back within 24 hours and shall be deleted anywhere else. In the case of cross border transactions, a copy of such data can be stored.
Why is Data Localization important?
Protecting Personal Data
- The personal and financial data which is available on the cloud is subject to foreign surveillance.
- The issue of Cambridge Analytica (who are alleged to have influenced voting behaviour, and thereby the outcome, on data.)
- Data harvesting threats.
- Better control on the nature of the use of Data, the extent of the use.
- India would have a competitive edge for their local companies, in the case of localised data.
- The information capital available to the domestic market and company in specific will be profitable for them.
- The government can tax the revenue generated from that data, wherever feasible, akin to taxation on the inflow and outflow of goods and services.
- Job opportunities within the country will rise for the data analytics sector and thus, witness economic development.
Law Enforcement Issues
- Storage of data at a local location facilitates access to information by the authority when needed.
- Local Storage of data is necessary for smooth law enforcement, without any additional measures.
National Security Dimension
- Law enforcement agencies often require information while investigating crimes.
- Local storage of data can help these authorities to access it in a timely manner.
- When data is not stored locally, agencies have to access the Data through Mutual Legal Assistance Treaties (MLATs)
- Countries sign agreements under this, intending to aid each other in the legal processes of respective countries.
- In some cases, it delays the investigation of crimes.
Asymmetry in a Level Playing Field
- The regulatory playing field in the technological sector is different for a developing and a developed country, putting the developing nation at a disadvantage.
What are the Challenges for Data Localisation?
- When data is stored within the country, then the government will have to work on the functioning and effectiveness of payment system operators, incurring a much higher operational cost than usual.
- Lack of proper infrastructure required to collect and manage data.
- Localisation of data can address foreign misuse, but the threats and risks involved in the domestic management of data are valid concerns.
- Inadequate infrastructure can hamper the paramount objective of localisation, i.e., security.
- Difficult for small-scale firms, startups to scale up their operation for creating local storage infrastructure.
- Could be a time-consuming process, where easy and profitable offshore cloud host services are available.
Data Protection – Rules in Operation
The RBI in its First Bi-monthly Policy of 2018, and subsequent notifications, published the type of data to be stored in India, such as customer name, payment sensitive data and transaction data.
- It observed considerable growth in the payment ecosystem in the country.
- Systems are also highly technology-dependent, which necessitate the adoption of safety and security measures, best in class, on a continuous basis.
- It is observed that not all system providers store the payments data in India.
- In order to ensure better monitoring, it advocated unfettered supervisory access to data stored with these system providers as also with their service providers/intermediaries/third-party vendors and other entities in the payment ecosystem.
- All system providers shall ensure that the entire data relating to payment systems operated by them are stored in a system only in India.
- This data should include the full end-to-end transaction details/information collected/carried/processed as part of the message/payment instruction. For the foreign leg of the transaction, if any, the data can also be stored in the foreign country, if required.
- System providers shall ensure compliance of (i) above within a period of six months and report compliance of the same to the Reserve Bank latest by October 15, 2018.
- System providers shall submit the System Audit Report (SAR) on completion of the requirement as (i) above. The audit should be conducted by CERT-IN empanelled auditors certifying completion of activity at (i) above.
- The SAR duly approved by the Board of the system providers should be submitted to the Reserve Bank no later than December 31, 2018.
Personal Data Protection Bill
- The Ministry of Electronics and Information Technology, Government of India, formed a committee under the chairmanship of retired Supreme Court judge, Justice B.N.SriKrishna.
- The committee aimed at comprehending and formulating data protection laws and drafted the Personal Data Protection Bill.
- It applies to the processing of personal data by the companies registered in India, foreign companies dealing with personal data of individuals in India, and the Indian Government.
When the world is moving towards a global village economy, data is the new oil, destined to bring revolutions. The question of personal data and scope of misuse, adverse impact on national security, issue of privacy all have gained currency, and the efforts to have a comprehensive provision for data protection, legislation is emphasized by the government machinery. Data localisation is a step in that direction.
It is necessary to evolve a mechanism- global standard procedure, to reap the benefits of a digitized economy and larger job creation, unleashing growth and international cooperation. A standard procedure protecting the interests of the developing nations and simultaneously giving the rightful share to the developed nations for their technological contribution is appreciated. Having said that, it must not be forgotten that the right of individuals and the threats of violation of the fundamental rights, theft of crucial financial, personal data must push us to invest in a system where data localisation is prioritised for protecting the interests of the stakeholders, simultaneously addressing the safety concerns, even at the country, where the data originated.
This article is relevant for the sections of Polity, Economy and Current Affairs part of the UPSC Syllabus prescribed for Preliminary and Main Stages of Civil Services Exam.