• The Indian data localisation wave is the latest digital battleground of ongoing power wars between government and industry.
• As the world weighs free global data flow against national security, what is at stake?
What is Data localisation?
• Data localisation is a concept that the personal data of a country’s residents should be processed and stored in that country.
• Some directives may restrict flow entirely, while others more leniently allow for conditional data sharing or data mirroring in which only a copy has to be stored in the country.
• As of now, much of cross-border data transfer is governed by individual bilateral “mutual legal assistance treaties” (MLATs).
What has happened now to bring this into focus?
• The recurring data localisation agenda has bubbled up in a number of government directives or drafts.
• In early April, the RBI issued a circular mandating that payment data be stored only in India by October 15.
• This covered everyone from Mastercard and Visa to WhatsApp Payments and PayTM.
• Currently, the RBI has not instituted any fines for those who have missed the deadline but is seeking schedules of pending data transfers to India.
B N Srikrishna committee Recommendations
• In late July, a data protection draft law by a committee headed by retired Justice B N Srikrishna recommended that all personal data of Indians have at least one copy in India.
• A subset of that data, labelled critical personal data, must be stored and processed only in India.
• The government’s e-commerce policy recommended localisation for “community data and data generated by users in India from various sources including e-commerce platforms, social media, search engines”.
• It also discussed strategies to “incentivise domestic data storage in India” through facilitating data infrastructure.
• “There could be, say a 2-year, sunset period for industry to adjust before localisation becomes mandatory,” the report stated.
• In August, a Reuters article found that a draft report of a cloud computing policy recommended localisation of Indians’ data.
• Cloud computing, a service offered by the likes of Amazon and Microsoft, allows customers’ data to be stored on remote data centres.
Who is for it?
• Localisation will help Indian law enforcement access data.
• In RBI circular stated that “to ensure better monitoring, it is important to have unfettered supervisory access to data stored with these system providers”.
• This especially gained prominence earlier this year, when a spate of lynchings across the country was linked to WhatsApp rumours.
• WhatsApp’s firm stance on encrypted content frustrated government officials.
• In addition, proponents highlight security against foreign attacks and surveillance, which opponents consider a weak argument in cases of data mirroring.
• Concerns also rose when Facebook declared that its Cambridge Analytica controversy had affected Indian users as well.
Who is against it?
• Industry bodies, especially those with significant ties to the US, have slung heavy backlash.
• A group of industry associations, such as United States-India Business Council, has written to IT Minister Ravi Shankar Prasad against the recent moves.
What do other countries do?
• The think tank European Centre for International Political Economy has found a surge in data localisation measures worldwide over the last decade.
• Russia has the most restrictive regulation for data flow with strict localisation and high penalties.
• The European Union’s General Data Protection Regulation (GDPR) does not mandate all data to be localised, but rather restricts flow to countries with a strong data protection framework.
Mains Paper 3: Internal Security | Challenges to internal security through communication networks, role of media & social networking sites in internal security challenges
Prelims level: Data Mirroring and Localisation, BN Srikrishna Committee
Mains level: Rising cyber crimes and the role data protection bill would play in reducing them.