Data Localisation: Ensuring data privacy of people?
-Rishiraj Chandan
Introduction:
British
mathematician Clive once said that data is the oil of 21st century this has
indeed turned out to be true over the rapid growth of digital Community. For
economies all over the world, now data plays an increasingly important role as
an economic and strategic resource. It can be used to make decisions with the
economic impacts, environmental impact or effects on health, education or
Society in general. The volume of data in the world is increasing
exponentially. As per United Nations digital economy report 2022. 94.2
zettabytes of data were created in 2022 which is 314 percent increase from
2015. Data localization now refers to various policy measures that restrict
data flows by limiting physical storage and processing of data within a given
jurisdiction boundaries. So, where do we stand on the issue of data
localization? what are the challenges on this front?
Let's
first start by understanding a bit about the significance of data and the
concept of data localization. What do we mean by data localization? And Why is
it needed? To simplify this complex term, I would like to define that the
processing and storage of any data should happen within boundary of that
country. It should not cross the country and that is something which is
expected from the data localization[1]. Because it involves National
Security, our economic growth , our Innovations etc. All these things are
linked to data localization. It used to go out, there are many companies those
are from different countries and they were making money based on our data[2]. We have recently seen 150
plus applications from China were banned because they were taking data out from
our country. Examples will be especially the WeChat application or many such
applications those were listed in that. WeChat were valued 500 billion dollars
and most of their user base were created at that time in India. So, we can
imagine a company which has been valued double of the Pakistan GDP, they were
making money. They were getting investment because they have data from India
but India is not taking any benefit of that. So, that is the biggest loophole
that we could understand and that's why the data sovereignty or data
localization issue was raised.
Understanding
Data Localization and Challenges related to it:
I
think this is the need of the hour because it is said rightly that the data is
the next oil and there will be a time when countries will run based on the data.
The economies will be driven based on the data. So, we need to understand the
importance of it and this is high time when we should come up with a strong law
which actually has been in discussion since long time. It is still in
discussion. But this is the prime problem now, that the data which is personal
data, which is personally Identifiable information, which is sensitive data, which
is critical data, which could be from different other sectors should be
retained in India. It should be stored and processed in India.
The
report which I was referring for 2022, almost 94.2 zettabytes are 314 percent
more than what it was five years ago[3]. The question is how is this data generated? Why
so much amount of data is important? Whether all of it is to be stored? Most of
it must not be of any use. There are multiple points that can be said regarding
this. Not all data is equally important, the most important data we care about
are things which are about individuals. Personally identifiable data, data
which carries your personal information. That's what right to privacy is about.
Suppose our own emails are there, suppose our financial transactions are there,
suppose our photos are there, most of these are now kept on the cloud depending
on which service you are using. They may
be hosted in India or abroad. They may be hosted in multiple jurisdictions,
their copies may be kept in multiple jurisdictions. That is the problem for
example: financial data i.e.all credit cards and other transactions happening
in India. I think RBI recently insisted that these have to be kept within India[4]. So, I think some of the
financial companies were even requesting for extension and permission because
every payment you make, every credit card purchase you make that is data about us.
What we would like to eat, where do we like to eat it, when we like to eat ,
what we buy etc. All of that becomes profile data for us. If somebody has access to it they can very
soon find out about us.
Similarly,
people use Uber and such kind of services, why did China take such strong
action on their version of uber? Because even officials if visiting someplace all
their information as to who went where, when did they go, is all in the app now.
It's now in the cloud and it can be shared with anybody. Anyone can put four
things together and figure out what they are doing. You don't need spying. That
is the concern, of course not all data is equal that I agree but there is
definitely a need for personally identifiable data to be secure. Through legal
means there should be a mechanism and a sovereign country would like the data
of its citizens to be stored within its boundaries. This is what in some way or
the other Europe and U.S have been insisting on to different degrees.
Discussion
on the issue of data privacy is rampant everywhere, so when we are looking at
the concept of data localization both of them are very closely correlated[5]. As I pointed out that by
data localization, by this particular term the government or the authorities
are perhaps looking for is to protect the personal data. Personal data of its
citizens is of real importance to citizens to the government as well. Is this
the only cons aspect of this concept which is really important or is there
something else as well?
Let's
not forget that it's not just personally identifiable information that we are
talking about. But say countries across the world, the free flow of data of
internet has also allowed a lot of multinational companies to grow. That's
where globally countries across started putting focus on that. However, this
digital economy is expanding and we need to put some concern with respect to
free flow of data. Those concerns if I may just point out would be storing of
data on foreign servers, which has and we have seen has been an impediment in
data access for domestic national security agencies. Second aspect is that loss
of economic benefits due to exploitation of data by the foreign firms. That's
another concern which not just India but I think major economies are pondering
upon. The third aspect would be the concern about foreign surveillance the
National Security and sovereignty. The fourth aspect would be the misuse of
personal data in violation of privacy rights. That's why we're talking about
cyber security, privacy and personally identifiable information. This is not
just one but this is four folds of things which countries across are wandering
over. I would not restrain in saying that data flow or free flow of data must
be regulated.
Balance
between Economy and Data Localization:
To
understand that what do we mean by regulation. We cannot strangulate this
entire process because we do talk about free trade agreements with countries
across globe. In past two decades, countries have implemented some of the other
restrictions but we do have to trade with countries. There has to be a flow of
data. But if we look at numbers, 75 percent of countries globally have
implemented some level of data localization rules. When I'm talking about level
of localization rules one is to understand that what do you mean by data
localization. That also can be clubbed into different categories looking at
severity and sensitivity of those data. One has to secure faster and better
access to personal data for law enforcement agencies. The second is preventing
foreign kind of things this can be tackled maybe by categorizing localization
into different categories that can be a conditional localization[6]. Which will be specific that
it entails only local storage requirement. It cannot travel and none of the
data can travel outside. The second can be unconditional local storage
requirement that is for all personal data, that it's an unconditional local
storage. Conditional localization, it can be the case that one portion of it is
in India and the copy can go or processing can be done outside India. But unconditional local storage requirement is
that all personal data has to be stored and processed in India. There is no condition into it. There are
countries which have come up with the same regulations where unconditional
requirements are there for example Australia. RBI also came up with regulation mandating that
all financial institution has to keep financial data of Indian citizen within
the jurisdiction of Indian. But they also came up that processing can be done
and finally the product has to be in India. The third is unconditional
mirroring requirements that is for all personal data. The fourth can be
unconditional free flow of data with bilateral or multilateral agreements for
data access and transfers.
This
is where the latest issue of FTA with UK lies. Where we are pondering about
that we don't have any data localization norms in place. We cannot just look at
it into with closed aspect that data localization means that entire data has to
be in India, but one has to understand what is meeting your objective when it
comes about National Security. What kind of localization norms or process you
have to keep in place when you talk about business or free flow of data? What kind of localization you want to
implement when you talk about cyber security? That brings us to the issue as to
what kind of laws are we looking at? What kind of policies are we looking at? Because
the original draft of personal data protection bill, there were media reports
that they put in a lot of restrictions on data localization.
Conclusion:
This
is not that simple problem because we cannot restrict all kind of businesses
because of the data localization. We should also be liberal because we want
economy to grow. That is a balance that we need to create[7]. That is the reason I think
this bill is delayed. Because there were
lots of outcry from different companies that we cannot follow all these
recommendations and guidelines. We became too much conscious, overly conscious
about this kind of data. That has actually made that almost strangulating the
businesses situation. I think that is something which we need to take care of
right now.
Sovereign
requirements of any country including ours are met in terms of ensuring
National Security. Current aspect with which the personal data of its citizens
is looked at is not being misused. It's a very tightrope walk. In fact, this
whole issue of data privacy and then of course the related issue of data
localization even internationally it is not a well-solved issue. In principle
we recognize that we need to protect individuals and their data. The challenge
is Europe tried for example with GDPR(yeah I'm sure many of you would have heard
of this data Privacy Law that the Europe implemented two three years ago), the
result of that is every time you go to a website you get a message at the
bottom saying “do you accept all cookies or not you can manage your cookies.” But
the challenge is if you look at a typical person he doesn't want to manage the
cookies, he just says accept all. So, the point is they put in this very
complex set of regulations but they are not human friendly. For an average use, even a sophisticated user
to keep managing what information each site is tracking about you or what
information is being stored about you, who has what information is a very
complex task. Most users are not willing to take on that responsibility. The point I'm making is that the technology for
making this kind of very fine-grained decision is missing at present. As pointed out there is this subtle difference
between blocking everything so that Commerce gets hurt, companies get hurt, our
economic growth gets hurt, and allowing everything where people can get hurt
and having that very fine sieve through which only the things that are
permissible to pass through. Designing that basically is going to be, a very
intelligent sieve in some sense itself, a very tough problem. Doing it through law is even more complex
indeed. That's where we are stuck at today. I think we should put in some level
of protection and then slowly ramp it up over the years as we learn how better
to do it.
We
need to understand that what kind of restrictions has to to be there with
regard to cross-border data flow or cross-border data sharing and what kind of
controls you need to establish for transfer of information. Because just by
saying that we are bringing in law would not suffice. You need to have a system in place which will
make you understand that transfer is happening or not happening and what kind
of transfer can happen. So, that clarity about classification has to be very
robust or very specific and clean for people to understand. Specifically in
India as to how it has to be flowed? Do we have system in place where one can
understand that this data is not actually going outside? Because it's just a
click away. So, how do we bring enforceability of the law? Coming back
technological sovereignty, It is something that goes beyond the idea of
economic competition. It's actually practically building the idea of
technological capacity of nation that has a capacity to threaten the national
sovereignty of the another[8]. There is a need for having a
fine balance and one has to adequately address the challenges of rise in data
localization that is definitely one of the defined issue with this current
Internet governance landscape.
There
are many other new technologies those are coming into play. It will be very
difficult to control the data then because these technologies will generate
almost 100 times more data than Facebook or other apps. They'll have your 3D data and much more
personalized information from our behaviour to our body language. Everything
will be there. How will we restrict them to not process the data outside? Because
people will start already using it. It will be much more difficult to regulate then.
I think this is the right time you need to take care of the futuristic
Technologies also and plan the regulations accordingly. Whether it is quantum
Computing, whether it is AI, whether it is metaverse there are many such things
on floor. So, we need to think from all these aspects. That is really important.
We clearly get that data is important for a person, for an individual user but
also at a larger scale economically and strategically from the National
Security point of view as well. So, it
becomes really important to understand how data localization works and what
kind of policies are being worked upon, being decided upon. The time is now to
put in place a good mechanism, a forward-looking futuristic mechanism in place
to protect the personal data as well as to ensure the nation's security, economic
growth and strategic importance as well.
[1]
Svantesson, D. (2020), "Data localisation trends
and challenges: Considerations for the review of the Privacy
Guidelines", OECD Digital Economy Papers, No. 301, OECD
Publishing, Paris, https://doi.org/10.1787/7fbaed62-en
[2]
https://www.pwc.in/assets/pdfs/consulting/cyber-security/data-privacy/data-localisation-norms-a-key-pillar-for-privacy-protection.pdf
[3]
https://www.statista.com/statistics/871513/worldwide-data-created/
[4]
https://m2pfintech.com/blog/decrypting-rbi-data-localization-policy-for-payment-companies/
[5]
Selby, J. (2017), “Data localization laws: trade barriers or legitimate
responses to cybersecurity
risks, or both?”, International Journal of Law and
Information Technology, Vol. 25, p. 213.
[6]
https://carnegieindia.org/2021/04/14/how-would-data-localization-benefit-india-pub-84291
[7]
Van der Marel, E., H. Lee-Makiyama and M. Bauer (2014), “The Costs of Data
Localisation: A
Friendly Fire on Economic Recovery”, European Centre
for International Political Economy,
https://ecipe.org/publications/dataloc/.
[8]
https://carnegieindia.org/2021/04/14/how-would-data-localization-benefit-india-pub-84291
