Data Localisation: Is it a Solution to Privacy Concerns?
The epiphany that “data is the new oil” hassled to the emergence of data protection laws across the world, creating a variety of legal and commercial challenges for global organizations. One such challenge relates to data localization restricting the cross-border transfer of data. India is also a part of this tectonic change in data protection regime with the introduction of the draft Personal Data Protection Bill, 2018 and various sector-specific reforms in that direction.
Through this article, the author will discuss various data localization mandates introduced by the Government, compare it with the European data protection law and discuss the implications of such policies.
Indian Data Protection Regime:
1. Definition and emergence of Data Localization
Data localization refers to the practice of limiting the storage, processing and/or movement of data to specific geographies.[i] It may include measures that specifically prohibit information from being sent off-shore, prior consent of the data subject, and mirroring of data domestically.[ii]
After Edward Snowden revealed the extensive surveillance carried out by NSA, States started adopting data localization policies. In India, the draft Personal Data Protection Bill, 2018 was released after the landmark judgment of “Right to Privacy”[iii] and since then, various sectors are also getting a taste of the data localization mandate. Some of these are discussed below:
A. The Personal Data Protection Bill, 2018:
Section 40 of the Bill discusses the restrictions on cross-border transfer of data[iv]:
Data Fiduciary has a duty to store data on a server or data centre located in India or mirror such data in India.
Critical personal data as notified by Central Government shall only be stored and processed in India.
Section 41 states the conditions for cross-border transfer of personal data, subject to prior consent of the Authority is based on the following parameters:
Subject to standard contractual clauses or intra-group schemes.
With the permission of the Central Government personal data can be transferred to a country, a sector within a country or an international organization.
Situation of necessity.
For 1 & 2, data subject has consented.
This section is not applicable to critical personal data.
B. Comparison with the General Data Protection Regulations, 2018
The General Data Protection Regulation (GDPR) has taken a hybrid approach towards data localization. The most essential feature of GDPR is that it does not restrict the flow of data to third countries but merely imposes conditions and extends its jurisdiction to any personal data processing, in the EU or abroad, that originates in the EU.[v]
However, most cross-border transfers of personal data will be carried out under standard contractual clauses as there are only a few countries with a robust data protection regime. Even EU has recognized only 12 countries to have adequacy status under the GDPR.[vi]
2. Sector Specific Amendments in Accordance with the Bill
A. The Reserve Bank of India:
RBI issued a notification[vii] under Section 10(2) of the Payments and Settlement Systems Act, 2007 that requires all payments system providers to store full end-to-end transaction details, information collected, carried and processed in India for security and supervisory purposes.
As of October 16 2018 (deadline), 64 out of 80 payment service providers said they were ready with local data storage.[viii]
B. The Drugs and Cosmetics Act, 1940:
Ministry of Health amended the Drugs and Cosmetics Act, 1940 to regulate e-pharmacies. According to Section 67K, the e-pharmacy should not only store data in India but also be an Indian establishment.[ix]
C. The Draft E-Commerce Policy:
The draft E-commerce policy, under article 2.4 mandates companies to store all data relating to Indian users locally and says their source codes must be audited as well.
This is somewhat contrary to the Personal Data Protection Bill as the Bill only requires personal data to be stored and processed locally, while under this draft, all the data is to be stored and processed in India.[x]
D. The Telecom Sector:
Department of Telecommunication, under clause 39.23 of the Unified License Agreement puts a restriction on TSPs (Telecom Service Providers) that they cannot transfer account information to any person or place outside India. The clause prohibits the use of remote facilities to monitor data and mandates mirroring in India.[xi]
Analysis of the Policies and Feasibility:
1. Increase in Government Control:
The government rather than securing the privacy of citizens is trying to gain control over data through data localization. E-pharmacies are required to provide data to the government for public health purposes, but it doesn’t specify circumstances for invoking this provision.[xii] Under the draft e-commerce policy too, the government has access to data stored in India.
2. Cost-Analysis and Impact on the economy:
One of the essential features of cloud computing is that it is transnational in nature[xiii] and organizations do not incur any infrastructural costs. Data localization would require heavy investments for organizations to set up servers in each country. Only big organizations like Alibaba could afford to implement this. SMEs would face capital and infrastructural barriers hindering setting up of start-ups and innovation.[xiv] The economy would get affected as a result of the wide data localization measure, the effect on GDP would be 0.8% and foreign direct investments would drop by 1.9%.[xv]
Contrary to the reasons given by the government, data localization increases security risks. Cloud uses a process called “sharding” in which rows of a database table are held separately in servers across the world that provides enough data for operation but not enough to re-identify an individual.[xvi]
An analogy can be drawn between cloud and blockchain to understand the importance of data distribution:
Assuming N nodes with E as the security level, the security of the distributed ledger will be N x E rather than 1 x E in a centralized ledger.[xvii]
4. National Security:
Cloud computing raises national security concerns. For example, under the USA PATRIOT Act, the government has the power to intercept any data coming inside the country for security purposes.[xviii] Therefore, governments prefer sensitive data located within the boundaries of their country.
But data localization is not the solution as the NSA has infiltrated all jurisdictions with the use of malware.[xix] To achieve data security, the use of strong encryption is essential. However, the Government has failed to issue rules under section 84A of the IT Act to promote strong encryption.[xx]
5. Law Enforcement:
Electronic evidence is increasingly becoming relevant to criminal investigations. Eight of the top ten most accessed websites in India are owned by entities headquartered in the U.S.[xxi] and this hinders investigation of crimes because to access this data, the processes set out in agreements called Mutual Legal Assistance Treaties (MLATs) is followed which is tedious and time-consuming and therefore data localization appears to be a suitable option.
Apart from these concerns, the report[xxiii] discusses that data localization will reduce the reliance of fibre optic cable network that poses a security threat. However, data destruction does not always require a continental-scale event.[xxiv]
The report also points out that development in Artificial Intelligence will see a great boost from data localization.[xxv] It can be one of the reasons but definitely not the sole reason because even though the USA has no data localization policy, it is a dominant player in the AI industry.
India has adopted a forced data localization law that has altered the basic structure of the internet. Lawmakers are only concentrating on national security and ignoring factors like economic growth, innovation and job creation.[xxvi] Further, consumers are not given the option to decide where they want their data to be stored. Additionally, it is essential to have privacy laws irrespective of the location of storage or processing of data. Indian Government must realize that strict localization is not a concrete solution to national security, rather a burden on the economy.[xxvii]
[i] Jyoti Pandai & Jeremy Malcolm, The Political Economy of Data Localization, The Open Journal of sociopolitical studies 512, 513 (2018)
[ii] Anupam Chander & Uyên P. Lê, Data Nationalism, 64 Emory LJ 680 (2015)
[iii] K.S. Puttaswamy v. Union of India, (2017) 10 SCC 1
[iv] The Personal Data Protection Bill, 2018 (pending)
[v] William Alan Reinsch, A Data Localization Free-for-All, Center for Strategic & International Studies, (Jan 9, 2019, 11:00 AM), https://www.csis.org/blogs/future-digital-trade-policy-and-role-us-and-uk/data-localization-free-all
[vi]Khaitan & Co., Decoding The Personal Data Protection Bill, 2018,Mondaq, (Jan 1, 2019, 1:20 PM), http://www.mondaq.com/india/x/727776/data+protection/Decoding+The+Personal+Data+Protection+Bill+2018
[vii] RBI/2017-18/153 DPSS.CO.OD No.2785/06.08.005/2017-2018
[viii] Nikhat Hetavkar, RBI Firm on Data Localisation; 80% of Firms to Comply by October 15 Deadline, The Wire, (Dec. 31, 2018, 7:00 PM), https://thewire.in/business/rbi-firm-on-data-localisation-80-of-firms-to-comply-by-october-15-deadline
[ix] Sale of Drugs by E-Pharmacies Draft Rules, 2018 G.S.R. 817(E), (Ministry of Health and Family Welfare)
[x] Rana, #NAMA Policy: Issues with Data Localization & Ownership in Draft e-commerce policy, Medianama,(Jan 12, 2019, 3:00PM), https://www.medianama.com/2018/10/223-namapolicy-issues-with-data-localisation-ownership-in-the-draft-ecommerce-policy/
[xii] Suprita Anupam, New Rules To Make Epharma Registration Simpler And Regulation Clearer, Inc 24, (Jan 4, 2019, 3:30 PM), https://inc42.com/buzz/new-rules-for-epharma-makes-the-registration-simpler-regulation-clearer-says-epharma-startups/
[xiii] George Yijun Tian, Current Issues Of Cross-Border Personal Data Protection In The Context Of Cloud Computing And Trans Pacific Partnership Agreement: Join Or Withdraw, Wisconsin International LJ 370, 372 (2017), http://hosted.law.wisc.edu/wordpress/wilj/files/2017/12/Tian_Final.pdf
[xiv] Mugdha Variyar, Alibaba backs data localisation in India; looks to grow its cloud presence,Et Tech, (Jan 4, 2019, 4:20 PM), https://tech.economictimes.indiatimes.com/news/internet/alibaba-backs-data-localisation-in-india/65869783
[xv] Telecom Regulatory Authority of India, Government of India, Bif Response To Trai Cp On Privacy, Security & Ownership Of Data In The Telecom Sector, https://main.trai.gov.in/sites/default/files/BIF_Telecom_Sector_07112017.pdf, (Jan 12, 2019)
[xvi]Supra note ii
[xvii] Dirk A. Zetzsche, et al., The Distributed Liability of Distributed Ledgers: Legal Risks of Blockchain, 007 European Banking Institute & University of New South Wales Law Research Series (2017).
[xviii] Sreenidhi Srinivasan, The Emerging Trend of Data Localization, The Columbia Science and Technology LR, (March 1, 2018), http://stlr.org/2018/03/01/the-emerging-trend-of-data-localization/
[xix] Floor Boon et al., NSA Infected 50,000 Computer Networks with Malicious Software, NRC.NL (NETH.) (Dec. 28, 2018, 12:30 PM), https://www.nrc.nl/nieuws/2013/11/23/nsa-infected-50000-computer-networks-with-malicious-software-a1429487
[xx] Supra note xv
[xxi]Bedavyasa Mohanty & Madhulika Srikumar, Data localisation is no solution, https://www.orfonline.org/research/42990-data-localisation-is-no-solution/
[xxii] Supra note xviii
[xxiv]Ashi Bhat & Suneeth Katarki, The Debate – Data Localization And Its Efficacy, Mondaq, (Jan 2, 2019, 2:15 PM), http://www.mondaq.com/india/x/736934/Data+Protection+Privacy/The+Debate+Data+Localization+And+Its+Efficacy
[xxv]NovoJuris Legal, Data Localisation: India’s Policy Framework, Mondaq, (Jan 22, 2019, 3:10 PM), http://www.mondaq.com/india/x/739546/Data+Protection+Privacy/Data+Localisation+Indias+Policy+Framework
[xxvi]Dr Kamlesh Bajaj, Data localisation & Data Access policy challenges for lawmaker, Et Tech, (Jan 14, 2019, 5:06 PM), https://tech.economictimes.indiatimes.com/news/corporate/data-localisation-data-access-policy-challenges-for-lawmakers/64371561
[xxvii]Shreya Mohapatra et al., Mapping Comments to the Srikrishna Committee on data protection (Part II): Data Localization, Ikigai Law, (Jan 14, 2019, 7:30 PM), https://www.ikigailaw.com/mapping-comments-to-the-srikrishna-committee-on-data-protection-part2/
By Madhura Bhandarkar, Student of Indian Law Society’s Law College (ILS), Pune