JURIST Guest Columnist Akshat Agarwal, a student in his final year at Jindal Global Law School, India, discusses the potential ramifications of India requiring all data to remain in country...
The Personal Data Protection Bill, 2019, which is a data privacy code, similar to the GDPR in the EU, has recently been passed by the Union Cabinet, and has been presented before the Lok Sabha for determination of enactment. In light of this, I seek to specifically analyze the important provision pertaining to data localization that is present in this bill and the Justice Sri Krishna Committee report which ultimately resulted in the formulation of this bill. Specifically, Section 40 of the bill states:
40. Restrictions on Cross-Border Transfer of Personal Data. —
(1) Every data fiduciary shall ensure the storage, on a server or data centre located in India, of at least one serving copy of personal data to which this Act applies.
(2) The Central Government shall notify categories of personal data as critical personal data that shall only be processed in a server or data centre located in India.
(3) Notwithstanding anything contained in sub-section (1), the Central Government may notify certain categories of personal data as exempt from the requirement under subsection (1) on the grounds of necessity or strategic interests of the State.
(4) Nothing contained in sub-section (3) shall apply to sensitive personal data.
In today’s geo-political ecosystem, personal data behaves like a subject of trade, analogous to currency. This directly leads to a demand for capturing data by nation states. Cross-border data access, use and exchange are integral to economic development in the digital age, wherein every sector, from manufacturing to agriculture to retail, requires a data flow. Global data-based infrastructures like cloud computing emphasize cross-border economic activity, therefore enabling the participation of various smaller entities and start-ups in global markets. Further, an increase in access of information (through cross-border availability of data), proportionately increases efficiency and productivity of markets, accelerating the spread of ideas, research and more samples of information. The importance of global data flow, has been recognized by the European Commission as well, wherein it stated that “data flows and transfers form an integral part of commercial exchanges for new growing digital businesses, such as, social media or cloud computing.” Due to the advent of data driven innovation, it has been estimated that cross-border data flow has, in the recent past, contributed 1/3rd to the 10% increase in the Global GDP, and such a significant contribution is likely to rise due to the surge in data flows.
It is observed however that the Indian Government has implemented measures imposing a condition on service suppliers to store data on domestically located servers and localize data processing within the boundaries of their territory. These restrict and prohibit cross border services, and force companies to replicate the data storage infrastructure thereby increasing the compliance and investor cost, as well as creating data security issues. These limitations impede new global services and are an anathema for those advocating the concept of globalization. Next-generation services like Google Glass, Driverless Cars etc., require such an extensive inflow of data without any barriers, and such restrictions on cross border data flow, prevent venture enterprises dealing in such emerging businesses to enter certain markets. This has been argued to be not only be detrimental for the end consumers and these multinational companies aiming to provide such services, but also for small enterprises in such local jurisdictions, which depend on these global services and their scalability to rise up and advance their competence and market grasp. The value of such exposure is being belittled by policy makers supporting data localization. Even the Organization for Economic Co-Operation and Development (OECD) has stated that “nations should avoid barriers to the location, access and use of cross-border data facilities and functions” out of concern about the constraints on data and informational flow and its consequences on global economic development.
Reasons for Constraining Data Flows and Encouraging Localization
The major reasons cited by the Government for employing data localization measures and restraining cross-border access to data are privacy, security, a check on foreign surveillance and increased development of local businesses. The security-driven school of thought argues in favor of national security over the importance being given to technological flow and freedom to disseminate information especially in the Post-Snowden era. Specifically, in the wake of the Puttaswamy judgment and the Cambridge Analytica-Facebook incident, there is a rise in the demand of data protection and sovereignty, given the amount and multitude of information shared online and the possible harms of unauthorized disclosure. However, it has been argued pertinently that the “balkanization of the Internet has larger security implications.” A better way to look at it is strengthening privacy laws without impinging upon the transcendental benefits offered by global access of data through the internet.
Another reason for such localization of data is its potential for weaponization through digital platforms increasing the demand for digital sovereignty. Further, the Srikrishna Committee report has cited the example of China and its AI driven growth along with its contribution to the economy and has tried to relate this development to the stringent localization measures followed by China. Other benefits of data localization have been cited in the report referring to (i) increased foreign direct investment in digital infrastructure and (ii) positive spill-over effects of an indigenous market for data centers through job creation and localization of skilled professionals.
Flaws in the Reasoning of Localization
Firstly, with respect to the increase in local investment as well as Foreign Direct investment to promote indigenous start-ups in the digital infrastructure, it must be recognized that data localization would require the ISP to employ a physical, local infrastructure in every operative jurisdiction. This is a disincentivizing factor as it heavily increases the financial burden of setup. For the local storage of data, data centers need to be set up which are expensive and resource intensive. Further, this move fulfills the rich getting richer aphorism, as only larger players like Reliance and PhonePe, or Paytm would be able to afford the same, rather than the smaller players like MobiKwik. It is the consumers who are most likely to bear the brunt of this, by losing access to many services which get discontinued due to the compliance costs involved. Country specific reciprocal measures are another economic consequence of this diplomatic practice, wherein reciprocal barrier to entry for Indian firms seeking to take advantage of globalization could be imposed. Reciprocal protectionism is harmful for not only these businesses but also for the local consumers. Such a measure goes against the economic policies of the current government as well, wherein the main idea is promotion of startups. However, these startups although willing to invest in the Indian Market, might just not have large enough capital to set up a local data storage unit, which deters such investment. The United States has harshly criticized this move, showing its intention of imposing a reciprocal barrier.
Secondly, questioning the claim of National Security, restricting data within a limited geographical territory rather makes the data more vulnerable to security leaks. Using local measures as an instrument to protect data rather than more specialized global ones brings in weaker authenticity and a loss of a competitive edge on competence. Weaker security measures are more prone to foreign surveillance. Security of data cannot be determined by a single factor of storage, rather it depends on intelligence of security protocols, usage of encryption technology, and IT infrastructure. Also, the localization of data makes it easier for surveiling organizations as it eases the logistical burden of finding and overcoming various levels of security measures. This has been referred to as the “Jackpot” problem.
It must be noted that governments on the one hand, argue for localization and constraining data flow and on the other hand routinely themselves share data and intercepted information with one another. Further, security of personal information with the government and on its devices cannot be conclusively argued to be better as it certainly increases the vulnerability of state surveillance and censorship affecting consumer choice as to choosing their own entity to store their data and secure it which they believe would fulfill their needs in the best possible way. It takes the form of an imposition and goes directly against the concept of democracy.
Thirdly, as far as the reasoning of AI development through localization and the premise of China being a technological superpower due to such data localization is concerned, it has been noted that China has a lot of developed companies and is not a developing economy. Further, attributing the Chinese technological boom to data localization is not supported empirically and there are a range of other factors that may have led to China’s success. These need to be evaluated in the context of India’s developmental state to derive a dependable conclusion and comparison.
The solution to digital colonization is stronger security and privacy measures and not protectionism. India needs to invest in strengthening data privacy fundamentally rather than setting up local data storage units which will constrain data flow. Specifically, for the big technology-driven companies like Amazon, Facebook, Google etc, India is a lucrative business avenue and this needs to be realized before repelling such companies from conducting business in India with Indian consumers by increasing compliance costs through local data storage.
Akshat Agarwal is a final year law student at Jindal Global Law School, India, and will be graduating next month. He is also the Editor at the Jindal International and Comparative Law Journal, as well as a Co-Editor at the IPRMENT Law Blog. Akshat’s research spans Intellectual Property Law, Technology, and digital governance of culture and the information economy.
Suggested citation: Akshat Agarwal, Data as a Tool for Diplomacy in India, JURIST – Student Commentary, May 18, 2020, https://www.jurist.org/commentary/2020/05/akshat-agarwal-data-localization-india/
This article was prepared for publication by Tim Zubizarreta, JURIST’s Managing Editor. Please direct any questions or comments to him at firstname.lastname@example.org
Opinions expressed in JURIST Commentary are the sole responsibility of the author and do not necessarily reflect the views of JURIST's editors, staff, donors or the University of Pittsburgh.