Data Localisation

  SANSAD TV - Discussion   May 22, 2024   123  Add to Reading List
Data Localisation

Data has emerged as a critical asset, serving as both an economic powerhouse and a strategic tool. Its applications are far-reaching, influencing decisions that shape economies, environments, health outcomes, educational systems, and societal dynamics. With each passing day, the volume of data surges exponentially, reflecting a profound shift in our digital landscape. The United Nations' digital economy report for 2021 revealed a staggering statistic: in 2020 alone, the world generated a colossal 64.2 zettabytes of data, marking a remarkable 314 percent surge from 2015. This exponential growth underscores the transformative potential and the pressing need for effective management and utilization of this invaluable resource.

  • Data localisation entails the practice of housing both vital and non-vital data within the borders of a particular country.
  • A fundamental objective of data localisation is to retain jurisdiction over our own data, bolstering the nation's resilience against privacy breaches, data leaks, identity theft, and cybersecurity threats.
  • This approach has facilitated the nurturing of indigenous startups and the organic growth of local businesses, fostering innovation in regional languages and ensuring economic vitality.
  • The Ministry of Electronics and Information Technology (MeitY) has formulated a proposed legislation focusing on safeguarding personal and sensitive data.
  • According to the draft bill, entities handling individuals' personal data are required to maintain a duplicate of such data within Indian territory, while the export of undefined "critical" personal data is explicitly prohibited.
  • Personal data encompasses both online and offline information that can be utilized to uniquely identify an individual, thereby enabling the creation of personalized profiles.

Here are the four main variants of localization:

  1. Conditional Localisation: This variant involves a stipulation mandating that certain data must be stored locally within the country's borders. This requirement is typically imposed under specific conditions or circumstances.

  2. Unconditional Local Storage Requirements: Under this variant, there are no exceptions or conditions; all personal data must be stored locally within the territorial boundaries of the country, regardless of any other factors.

  3. Unconditional Mirroring Requirements: In this scenario, every piece of personal data collected must have a duplicate stored locally. This ensures that a complete copy of all personal data is maintained within the country's jurisdiction.

  4. Unconditional Free Flow of Data with Bilateral/Multilateral Agreements: Contrary to the previous variants, this approach promotes the unrestricted movement of data across borders. However, this free flow is facilitated through bilateral or multilateral agreements that regulate and govern data access and transfers between participating countries.

Here's a breakdown of data localization norms as outlined in various policies and frameworks, focusing on India and globally:

In India:

  • Srikrishna Committee Report:

    • Mandates the storage of at least one copy of personal data on servers located within India.
    • Requires transfers of data outside the country to be subject to safeguards.
    • Specifies that critical personal data must only be stored and processed within India.

  • Data Protection Bill 2018:

    • Recognizes the right to privacy as a fundamental right, emphasizing the protection of personal data.
    • Proposes the establishment of a Data Protection Authority to safeguard individuals' interests, prevent misuse of personal data, and set norms for cross-border data transfers.
    • Authorizes the Central Government to identify categories of personal data as critical, which must be processed only within India.

  • Draft National E-Commerce Policy Framework:

    • Recommends data localization and suggests a transition period of two years for the industry to comply before localization rules become mandatory.
    • Proposes incentives to encourage data localization and offers infrastructure status to data centers.

  • Boycott of Osaka Track:

    • India refrained from endorsing the Osaka Track at the G20 summit in 2019. The Osaka Track advocated for laws facilitating data flows between countries and the elimination of data localization requirements.

  • Banning of Chinese Mobile Apps:

    • In 2020, the Indian government banned 59 widely used apps, predominantly linked to Chinese companies, citing concerns over data security and national sovereignty under the Information Technology (IT) Act, 2000.

Global:

  • United States:

    • Requires defense-related data to be localized.

  • Australia:

    • Enforces sectoral regulations for localizing health data.

  • Russia:

    • Mandates the localization of all citizens’ personal data.

  • China:

    • Requires localization of data concerning critical information infrastructure and important personal information.

  • Indonesia:

    • Requires localization of all public services data.

  • European Union (EU):

    • Allows conditional data transfer.

  • Bilateral and Multilateral Agreements:

    • Numerous agreements exist, with countries committing to similar data protection norms and facilitating cross-border data transfer and localization, such as the Osaka Track (2019), the Clarifying Lawful Overseas Use of Data (CLOUD) Act (2018), Comprehensive and Progressive Agreement for Trans-Pacific Partnership (2018), Digital Economy Agreement (DEA) (2020), among others.

Here are the advantages of data localization:

  1. Protects Privacy and Sovereignty: Data localization safeguards citizens' data, ensuring data privacy and sovereignty from foreign surveillance. It prevents unauthorized access to personal and financial information by foreign entities, thus preserving national security and individual privacy rights.

  2. Monitoring of Laws & Accountability: By storing data locally, Indian authorities gain unhindered access for supervisory purposes, ensuring better monitoring of data usage. This fosters greater accountability from companies like Google and Facebook regarding the handling and utilization of data, enhancing transparency and compliance with local regulations.

  3. Ease of Investigation: Localized data facilitates ease of investigation for Indian law enforcement agencies. Currently, these agencies often rely on Mutual Legal Assistance Treaties (MLATs) to access data, which can be time-consuming and bureaucratic. Data localization streamlines the investigative process, enhancing national security efforts and expediting justice delivery.

  4. Jurisdiction & Reduction in Conflicts: Data localization grants local governments and regulators jurisdiction over data stored within their borders. This ensures prompt access to data when required for legal or regulatory purposes, minimizing conflicts of jurisdiction arising from cross-border data sharing. Consequently, it leads to faster resolution of legal disputes and breaches, enhancing the efficiency of the judicial system.

  5. Increase in Employment: The localization of data stimulates the growth of the data center industry, creating employment opportunities within India. This industry expansion generates jobs in various sectors, ranging from data management and cybersecurity to infrastructure development and maintenance, thereby contributing to economic growth and employment generation.

Here are the disadvantages of data localization:

  1. Investments: Implementing data localization mandates may require global companies to invest significantly in building and maintaining local data centers. This can lead to increased infrastructure costs, operational expenses, and complexities in managing multiple data storage facilities.

  2. Fractured Internet: Data localization policies contribute to the emergence of a "Splinternet" where countries adopt protectionist measures, fragmenting the global internet ecosystem. This trend can trigger a domino effect, prompting other nations to implement similar policies, ultimately disrupting the seamless flow of information across borders.

  3. Lack of Security: Despite storing data within the country's borders, the encryption keys necessary to access and protect this data may still be controlled by foreign entities or remain outside the reach of national agencies. This raises concerns about the effectiveness of data security measures and the ability of governments to safeguard sensitive information.

  4. Impact on Economic Growth: Mandatory data localization measures can create inefficiencies for businesses and consumers alike. They may lead to increased costs and reduced availability of data-dependent services, hindering innovation, and economic growth. Additionally, compliance with localization requirements may impose burdensome regulatory obligations on companies, impeding their ability to compete in global markets.

Conclusion:
The implementation of data localization policies requires a well-integrated long-term strategy that balances the interests of various stakeholders, including the IT and BPO industries. Law enforcement agencies must have timely access to data stored within the country's borders to address cybersecurity threats effectively. Collaboration among all parties is crucial to combat cyber fraud and crimes while ensuring privacy and security for citizens and businesses. Additionally, individuals must take responsibility for maintaining basic cyber hygiene to safeguard their sensitive information. With a comprehensive approach, India can navigate the complexities of data localization and strengthen its cybersecurity framework for the benefit of all.