Disclaimer: Copyright infringement not intended.

Context

• Following complaints by many Indian start-ups that data localisation requirements in the current draft of the personal data protection Bill could hamper ease of doing business, the Ministry of Electronics and IT (MeitY) is looking at the possibility of diluting these norms.

 

Importance of data

• Data usually refers to information related to messages, social media posts, online transactions, and browser searches. It has become an important source of profits.
• Companies, governments and political parties find it valuable because they can use it to find the most convincing ways to advertise online.
• Much of the future’s economy and law enforcement will be predicated on the regulation of data, introducing issues of national sovereignty.

Handling of data

• Data is stored in a physical space similar to a file cabinet of documents and transported across country borders in underwater cables. Data is collected and handled by entities called data fiduciaries.
• While the fiduciary controls how and why data is processed, the processing itself may be done by a third party, the data processor.
• The physical attributes of data — where data is stored, where it is sent, where it is turned into something useful — are called data flows.

 

What is Data Localization?

• Data localization refers to the act of storing data on any physical device that may be present within the territorial borders of a country where the data has been generated. Some governments often restrict free-flowing data and the data that could impact government operations in a region. Many governments attempt to protect and promote security across the borders to encourage data localization.

 

Advantages of Data Localization

• In today’s time, data is considered to be the new oil, and this makes it very valuable. If the data is analyzed accurately, then it can form the backbone for any successful business.
• Governments looking to implement data localization might be seeking to give their local corporations a competitive edge. The national government can prevent the flow of data to external countries and thus, this data can be made available for the internal use by the domestic companies only. The informational asymmetry caused will prove to be beneficial for local companies.
• Data is a national resource, and thus the government holds a right on the revenue that is generated from the data. Similar to the inflow and outflow taxation of goods and services, the movement of data can also undergo taxation. The government can use the additional taxes generated from data for developing newer programs.

 

Disadvantages of Data Localization

• Foundation of the Internet lies with the free movement of data. In case the free flow of data is affected by imposing taxes or extreme protectionism, this will eventually destroy the Internet.
• Most companies prefer using the Internet as a medium to reach their customers is because it is cheaper and free of excessive regulation. When robust data localization and protection laws are implemented, then there is a high possibility that the Internet may face an abrupt end leading to its ‘death’.
• Another disadvantage that data localization holds is the security problem that is associated with the storage of data at a single location. The concept of storing data in a single geographical region is entirely opposite to the diversification approach followed by the MNCs. Also, the citizens of the country are not willing to allow the government to spy on their data. If all the data is stored within the geographical boundaries, then the government can collate all this data and even invade an individual’s privacy, if needed.

 

Challenges to Data Localization in India

• Presently, India doesn’t have any infrastructure to support the security of data being generated in the country. Without a secured infrastructure, the data remains prone to all kinds of cyber-attacks, and also there is a severe risk involved. With laws being implemented, it remains a challenge to develop an efficient infrastructure at a quick pace.
• The storage of data in India includes higher operational costs for payment system operators. In the case of cross-border transactions, data has to be stored in two places, which could increase the costs, and there is a high chance that these extra incurring costs will fall on to the consumers.
• Data localization can also be viewed against the intellectual property rights of an individual. This is because the individuals use their intelligence to form a system that can benefit from the data it has generated. Though, in the end, the consumers are deprived of these benefits, and a third-person might use the data in their favour.

 

Why has High Reluctance Shown by Companies?

• Most of the companies in the Indian market are not willing to adopt data localization as of now. The major reason why the companies are reluctant to comply with data localization is due to the costs involved.
• The costs can be in various hardware forms such as- servers, USPs, generators. It could also include the cost of infrastructure.
• Some companies hold the belief that India is not ready to have such an infrastructure and ecosystem that supports data localization.
• Large e-commerce players in the industry feel that there might be an increase of about 10-50% in the costs, depending on the strictness and rigidness of the final law.
• However, the big e-commerce and social media players are not going to be affected by this. The smaller businesses in the economy will be the ones who’re going to be at the suffering end.

Global Effects of Data Localization

• On the global scale, data localization regulations have created a significant impact on the economy in an era where economic growth is driven by the Internet.
• Internet is also the key enabler for trading taking place across several industries. With restrictions added on data storage and transfer, data localization holds a key threat to the free-flow of information taking place across the borders and maintenance of global supply chains.
• Due to the imposed regulations, there is a great impact that takes place on email communication, personal records, and social media services, adding to the limited access of information on which the manufacturing and service economies are heavily dependent.

 

Present Data Laws in Effect in India

• As of now, there is only a single mandatory rule for data localization in India. This is governed by the Reserve Bank of India (RBI) and is meant for payment systems. Besides this, other bill drafts are yet to take the form of a law.
• The other prominent evidence present in this context is the Data Protection Bill of 2018. The bill itself has got a fixed set of requirements on the data transfer that takes place across the borders. The draft e-commerce policy has clauses on the cross-border transfer of data.

Provisions of the Draft Data Protection Bill

• The bill trifurcates personal data. The umbrella group is all personal data — data from which an individual can be identified.

 

Personal Data

• Some types of personal data are considered sensitive personal data (SPD), which the Bill defines as financial, health, sexual orientation, biometric, genetic, transgender status, caste, religious belief and more.

 

Critical Data

• Another is critical data, which is determined by government for national security purposes. It requires individual consent for data transfer abroad.
• The bill requires sensitive personal data to be stored only in India.
• It can be processed abroad only under certain conditions including approval of a Data Protection Agency (DPA).

 

Critical Personal Data

• The final category of critical personal data must be stored and processed in India.

 

Mandate for Fiduciaries

• The bill mandates fiduciaries to give the government any non-personal data when demanded.
• The bill also requires social media companies, which are deemed significant data fiduciaries based on factors such as volume and sensitivity of data as well as their turnover, to develop their own user verification mechanism.

Individual consent

• The bill includes exemptions for processing data without an individual’s consent for “reasonable purposes” including security of the state, detection of any unlawful activity or fraud, whistle-blowing, medical emergencies, credit scoring, operation of search engines and processing of publicly available data.
• It also grants individuals the right to data portability and the ability to access and transfer one’s own data.
• It legislates on the right to be forgotten.

Independent Data Protection Agency

• The Bill calls for the creation of an independent regulator DPA, which will oversee assessments and audits and definition making.
• Each company will have a Data Protection Officer (DPO) who will liaison with the DPA for auditing, grievance redressal, recording maintenance and more.

 

Penalties

• The penalties that can be levied are divided into two major categories:

1) If a data fiduciary doesnt follow through on compliance requiremnts, it can be fined up to Rs 50 million or 2% of its worldwide turnover, whichever is higher.

2) If it doesn’t comply with the standards for processing personal or personal sensitive data it can be fined up to Rs 150 million or 5% of its total worldwide turnover, whichever is higher.

• Then there are a host of other penalties for more minor violations such as refusing to comply with a individual’s request (Rs 5 lakh maximum).

 

Positive

• The bill is quite strict on how companies and government will be treated if they are found to have committed offences under the Act (the two primary ones being obtaining/selling data contrary to the Act and the other being re-identification and processing of de-identified data).
• It can bring an end to “data colonization” by big corporations and the non-Indian companies.
• India’s data must be controlled and owned by Indian people and not by corporates, especially global corporations.

Concerns related to the bill

• The appointment of members to the DPA will not be made through an independent body but by a handful of people, mostly bureaucrats, selected by the government. Thus, the fact is that the data protection authority could be captured by the government (central appointments with 5-year-terms).
• The bill calls for a separate appellate tribunal to be set up that will hear appeals made against DPA orders. The head and members of this tribunal, as is the norm, will be subject to rules of qualifications, term of office and renewal by the Centre.
• Civil society groups have criticized the open-ended exceptions given to the government in the Bill, allowing for surveillance.
• There is a blanket power of exemption from all provisions of the law (including access to personal data without consent, citing national security, investigation and prosecution of any offence, public order) in favour of a government agency.
• A new watchdog without teeth, with no functional autonomy, would mean governments are legally immune from charges of data-mining.
• Justice (Rtd) BN Srikrishna, who headed the committee that formulated the original draft of the Bill, has reportedly called it “a piece of legislation that could turn India into an Orwellian state”.
• The bill doesn’t lay down the golden principle of allowing individuals to be true owners of their own data. There is no right to erasure, only a limited right to be forgotten that is saddled with a bureaucratic process (more on this below).
• Many are concerned with a fractured Internet where the domino effect of the protectionist policy will lead to other countries following suit.
• Much of this sentiment harkens to the values of a globalised, competitive internet marketplace, where costs and speeds determine information flows rather than nationalistic borders.
• Allowing the government to force companies to transfer non-personal data raises serious intellectual property concerns, and can still threaten users even if they’re not individually identified.

Need for data localization

• Will help law-enforcement access data for investigations and enforcement.
• Proponents highlight security against foreign attacks and surveillance, harkening notions of data sovereignty.
• Many domestic-born technology companies, which store most of their data exclusively in India, support localisation.
• Reliance Jio has strongly argued that data regulation for privacy and security will have little teeth without localisation, calling upon models in China and Russia.
• Instances of cyber attacks and surveillance will be checked. Recently, many WhatsApp accounts were hacked by an Israeli software called Pegasus. Social media is being used to spread fake news, which has resulted in lynchings, national security threats, which can now be monitored, checked and prevented in time.
• Data localisation will increase the ability of the Indian government to tax Internet giants.
• Strong data protection legislation will also help to enforce data sovereignty.

 

Final Thoughts

• Data Privacy will require a balancing act between personal liberty and sovereign securities such as prevention and investigation of crime and National security threats. Another legitimate concern of the State that needs to be balanced with the Right to Privacy, recognized in Puttaswamy, is social welfare measures.
• The illegitimate commercial gains being enjoyed by enterprises at the cost of privacy of individuals are also likely to vanish due to data localization.
• But Data protection is a complex exercise, and the law will need amendments from time to time depending on the problems that crop up. Thus it must be brought into the Statute book expeditiously.

https://indianexpress.com/article/business/startups/as-start-ups-complain-govt-looks-to-ease-data-localisation-norms-8034036/