Data Localisation: Whose Data is it Anyway?
[Lakshaya Grover and Mustafa Rajkotwala are students of NALSAR University of Law, Hyderabad, with keen interest in the area of data privacy law.]
The rise of ‘data’ over the years as the prime resource of the internet era is as impressive as it is certain. It cannot be contested that access to data and data patterns is central to charting out the way human beings interact; the extent to which data can affect tangible phenomena can be estimated by looking at the infamous Cambridge Analytica debacle that exploited critical data breach to influence political outcomes. Data is as invaluable for the companies that rely upon the behavioural analysis of user spending patterns as it is critically precious to the governments for determining the way the populace thinks. The crucial nature of this commodity makes it necessary to subject it to legal liability and make it easier for local administrations to hold accountable. At the same time, it is also crucial that the legal provisions binding the paradigm of data do not hinder the growth of the nascent industries it has given rise to. Striking a balance should be the aim of any legal policy advancement in this area. The most substantial development in India regarding ‘Data Privacy’ was the constitution of the Justice B. N. Shrikrishna Committee (Committee) by our policy-makers. The report submitted by them (Report) highlighted several important issues, including the requirement of ‘clarity of purpose’ when collecting personal data of people, the right of the state to seek information it deems necessary for the functioning of the government, the right to be forgotten, the requirement of ‘explicit consent’ while taking on record someone’s data, and most importantly, data localisation. In this article, we are going to critically lay bare the workings of this concept and challenges to its implementation. We will also explain the problem-areas and the solutions related to them.
Data localisation, in the simplest of terms, means that the data collected from the citizens or the residents of a nation, is stored in the same jurisdiction. To illustrate, if a company X has collected data of citizens of India, a data localisation legislation will ensure that the servers holding that data are located inside the territory of India. There are compelling arguments in favour of data localisation regulations, the prime contention being that the easy access to data when it is stored under the jurisdiction makes the entities collecting and storing the information more accountable to the citizens of the said jurisdiction. Another important argument in favour of a legislation ensuring data server localisation is the comparatively convenient administration of justice in case of a breach or violation of norms of data privacy. If a suit, criminal or civil, is filed against a corporate entity based out of another country having its data reserves located in elsewhere, getting the details regarding the storage of information becomes difficult. Determining the particulars of a specific case might be easier when the data servers come under the jurisdiction of the present state, as all the levels of judiciary can order the presentation of the data to resolve the matters. The enforcement of data localisation requirements will obviate the intricate procedures that ensue in case there is a matter which involves overseas data repositories. The legal backing to a localisation regime will be helpful in easing out complex bureaucratic processes that have the potential to derail administration of justice in data breach cases.
To understand the stakes and nuances of this issue with respect to India, it is essential to delve into the finer details of how the legal scholarship and policy-making have taken shape. According to Report, the approach appropriated by the Committee was to assume a vantage point ensuring maximum benefit while simultaneously securing certain non-negotiable rights for the citizens. Chapter 6 of the Report deals with the questions surrounding the statutory localisation of data servers. The Report states that a data localisation law needs to be put in place to ensure a robust data protection regime, but at the same time warns us of an over-regulated paradigm. It has to be understood that there is a risk of warding off new investors if the laws regarding data localisation are too strict. A middle path seems to be the most effective solution in this case as the committee deals with this impediment by segregating the localisation requirements according to types of data. For instance, the requirements of local storage and access for legal assistance will be limited to only the data classified as sensitive or important for national interest. The idea is to create different classes of data and limit the most stringent requirements for more sensitive categories. Another workaround for making the provisions more business-friendly is to allow for trans-border storage of data subject to the condition that a copy of data remains under national jurisdiction. These solutions, however, give rise to a vital consideration for the entities accumulating data and their users—the costs of data localisation and who bears them. The overall costs of status quo, vis à vis a scenario with data localisation norms in place are not substantially different once we disregard the initial transition costs. This is due to several factors, including but not limited to the reduction in the legal costs of obtaining data from overseas jurisdictions, the use of long range fibre optics to transmit data to the users across the world from the host country and the impetus to the local industry given the data centres will be located inside the territory of India.
The draft data protection law in India espouses data localisation as a regulatory feature to be determined solely by legislating. However, it is crucial to locate the Indian situation with respect to data localisation in a global perspective. The European Union has been sceptical of the Indian insistence on data localisation citing that it will create barriers to free trade and hinder the free growth of the internet sector. Several tech-giants came together in denouncing ‘forced localisation requirements’ in the draft data protection bill and claimed that such a move will ‘curb cross border transfer of data entirely’. It is agreed that any restrictions that stifle the freedom of businesses to practice and earn profits lawfully are not economically or legally viable; at the same time, inconveniences caused to businesses by government’s enforcement of user rights cannot be brushed aside as an anti-trade move. The proliferation of data centres across the globe will provide impetus to local trade and industry. The clauses related to data localisation do not intend to shut down international transfer of data, it only seeks to ensure that the data collected from Indian citizens by various entities remains under their access and is available for future assistance in legal matters. It is extremely paradoxical that in a model where data exists in laissez faire space, free trade proponents refuse to acknowledge the highly monopolised and imbalanced accumulation of sensitive data in one geographical location. The demand to distribute the data centres is also pertinent from a security perspective, as the saturation of all the world’s data together in a large chunk makes it extremely susceptible to concerted attacks and breaches. Any attempt to steal or manipulate a small part of information will end up jeopardising all of the data, given the concentration of data at a single location. It is in the interest of stakeholders to democratise the accumulation of data and give more access to the real owners.
It is to be noted that the demands of data localisation are not unique to India. There have been fundamental shifts in the way online information exchange is transforming given the heightened awareness regarding the rights over data. The tussle over the ‘autonomy to data’ is manifested in the periodic face-offs that countries have in various trade organisations regarding unfair data ownership practices. It is another matter that these countries are not willing to let loose their own hold over the data of other jurisdictions.
As of today, Russia and China are two of the major countries with comprehensive laws specifying the ownership and rights to access of information. It is arguable that these laws are not balanced in terms of liberty and regulation, but the laws in force in these countries are not necessarily the ones to be emulated. Kazakhstan has enacted a data protection law which comprehensively lays down the principles of data ownership and territorial storage of data. Vietnam has a more agreeable legislation which requires one copy of all the ‘important’ data to be made locally available. Other market oriented countries like Indonesia, Malaysia, and Greece have enforced similar regulatory mechanisms underlining the need for data of citizens to be stored at home. It is high time India took a cue from these countries and got rid of the trite excuse of data protection legislation being anti-business.
Now that a new Lok Sabha is about to be formed in a month’s time, it is clear that a matter of such global and economic importance will (and should) be high up on the priority list of the government coming to power. There is only one issue that the policymakers should stick to, and that is the rights and security of Indian citizens. India should be aware of the fact that it has enough bargaining power so as to not get silenced by the tech-giants and the superpowers, as we are one of the largest and the most potent markets in the world. The question of data localisation has to be decided bearing in mind the best interests of a common Indian, at the very least, and not those of the tech giants.
 The Personal Data Protection Bill, 2018, section 40.