[Varnita Singh is a 4th year B.Sc., LL.B. (Hons.) student at Gujarat National Law University in Gandhinagar]
After much anticipation, the Data Protection report (Report) and draft Personal Data Protection Bill, 2018 made by an expert committee under the chairmanship of Justice B.N. Srikrishna was presented to the Ministry of Electronics and Information Technology on 27 July 2018. The Report is a welcome move as it embraces the importance of data protection and right to privacy as a fundamental right in furtherance of the Supreme Court judgment in Justice K.S. Puttaswamy v. Union of India.
An interesting proposal made by the Committee is that to ensure enforcement of the data protection law, it would be necessary to localise data within India. In this regard, the Committee has proposed a ‘three-pronged model’ in which personal information has been classified into three sets. The first set includes all personal data to which the law applies. A live copy of all such data must be stored in India. The second set comprises of personal information ‘critical’ to national interest. Such information can only be processed in India and cannot be transferred outside India. ‘Critical data’ has been given a broad ambit to include not just sensitive data necessary to be protected from foreign surveillance but also any data necessary for the economy and functionality of the nation-state. The Personal Data Protection Bill under clause 40(2) allows for the Central Government to decide on the categories of critical data. Finally, the third set of data comprises personal data that the Central Government exempts from the mandate of localization. The Central Government can make such a decision based on strategic and practical considerations such as health emergencies.
Intention behind the mandate
The Committee attributes law enforcement as the primary reason behind the data localisation requirement. Through localisation, law enforcement agencies will have quicker access to the data and will not have to await multiple permissions from other jurisdictions where data maybe located. Law enforcement has been cited as a reason for localisation in the past by countries such as Indonesia, Russia and Vietnam. It was also the reason behind the data localisation mandate for payment systems that the Reserve Bank of India issued in early April this year.
With localisation, the Committee also hopes to reduce foreign surveillance and catalyse the growth of digital economy in India. Companies such as Google, Alibaba, Amazon and Microsoft have already opened data centres in India and the localisation if enforced, is likely to increase the number of data centres in India. Although the intention confronts legitimate concerns, the impact of the policy on the consumer, economy and digital ecosystem is far from expectations.
Bad news for the consumer and economy
Without doubt, the localisation mandate if implemented will drastically impact market stakeholders and proposed investors because of the increase in digital infrastructure costs. An ECIPE report suggests that complete data localisation could cause a 0.8% drop in the Indian GDP.
The Committee argues that mere increase in cost cannot hamper legal developments and the benefit of localisation drives to the inherent objective of data protection. However, the cost-benefit analysis suggested by the Committee is flawed on two grounds. First, the localisation deeply affects the consumer or the data principal because splitting the data into various jurisdictions instead of keeping it in an integrated form goes against the global anti-fraud system that many companies have set up. Thus, data becomes more vulnerable to security breaches. Second, the impact of the requirement not only causes higher cost in establishing data centres but also calls for a re-architecture of global based systems which can impact the performance and quality of products and services. In the past, localisation measures have also caused certain companies to leave the market. The suspension of PayPal services in Turkey most localisation measures is one such example.
Creating a nourishing digital ecosystem
The Committee suggests that storing and processing data in India will provide a vast database which will help foster the artificial intelligence industry in India. Although localisation can improve the artificial intelligence market in India, it can cause a large hit on other advancements in information technology like Internet of Things (IoT), big data and cloud computing which thrive on the cross border flow of data. According to a recent NASSCOM report, by 2020, the IoT market in India could account for up to 5% of the global market and could reach USD 15 million. A Gartner report published before the localisation mandate showed that the cloud market in India could grow by 37.5% in 2018. If the localisation mandate is implemented, it is likely to dampen this growth because small and medium businesses will be unable to access the global cloud market to store data.
The convergence of IoT, big data and cloud computing can revolutionise the healthcare system by evolving the process of diagnosis and therapeutics. Bylocalising health information and permitting transfer only in cases of emergency, Indians will miss out on the benefits of sophisticated medical services like IBM Watson which use such technology and data analytics for diagnosis.
If localisation were truly the solution to digital empowerment, Singapore would not be the leader of digital transformation in Asia. Instead of focusing on protectionist policies like localisation, Singapore has accelerated digital growth through investment in skill training programs, IoT programs and data analytics.
Intent vs Impact: is there congruency?
Despite the effect that localisation can have on the industry and innovation, the move could be justified if it served larger public good of complete data security and law enforcement. However, as the Committee has acknowledged, the mandate is not infallible. It only reduces the ‘possibility’ of not having access to data within the realm of the Data Protection Law. Moreover, the growth it can provide to the digital ecosystem is short-term and creating policies which nurture innovative companies and train persons to create skilled professionals would provide sustainable growth in the industry. Since localisation leaves the problem it seeks to combat unanswered, it is necessary for the Parliament to look at better solutions for data protection.
In my opinion, it is important to protect and localise sensitive data important to national security from foreign surveillance. However, as regards to other data falling within the ambit of the Data Protection Law, implementing an all stakeholder inclusive policy which mandates companies to provide data to law enforcement agencies when requested for will overcome the problem of law enforcement and harmonize the interests of the company, data principal and the nation.
With data localisation, the Committee has tilted the balance in favour of data sovereignty instead of data autonomy which mutates the nature of ownership of data from person-based to state-based. Perhaps, promoting cross border transfers by adopting data liberal policies instead of mirroring the regressive policy adopted by other countries could lead to India becoming a pioneer in the digital revolution.
– Varnita Singh