Data localisation: why, why not

• The Indian data localisation wave is the latest digital battleground of ongoing power wars between government and industry.
• As the world weighs free global data flow against national security, what is at stake?

What is Data localisation?

• Data localisation is a concept that the personal data of a country’s residents should be processed and stored in that country.

• Some directives may restrict flow entirely, while others more leniently allow for conditional data sharing or data mirroring in which only a copy has to be stored in the country.

• As of now, much of cross-border data transfer is governed by individual bilateral “mutual legal assistance treaties” (MLATs).

What has happened now to bring this into focus?

• The recurring data localisation agenda has bubbled up in a number of government directives or drafts.

• In early April, the RBI issued a circular mandating that payment data be stored only in India by October 15.

• This covered everyone from Mastercard and Visa to WhatsApp Payments and PayTM.

• Currently, the RBI has not instituted any fines for those who have missed the deadline but is seeking schedules of pending data transfers to India.

B N Srikrishna committee Recommendations

• In late July, a data protection draft law by a committee headed by retired Justice B N Srikrishna recommended that all personal data of Indians have at least one copy in India.

• A subset of that data, labelled critical personal data, must be stored and processed only in India.

• The government’s e-commerce policy recommended localisation for “community data and data generated by users in India from various sources including e-commerce platforms, social media, search engines”.

• It also discussed strategies to “incentivise domestic data storage in India” through facilitating data infrastructure.

• “There could be, say a 2-year, sunset period for industry to adjust before localisation becomes mandatory,” the report stated.

• In August, a Reuters article found that a draft report of a cloud computing policy recommended localisation of Indians’ data.

• Cloud computing, a service offered by the likes of Amazon and Microsoft, allows customers’ data to be stored on remote data centres.

Who is for it?

• Localisation will help Indian law enforcement access data.

• In RBI circular stated that “to ensure better monitoring, it is important to have unfettered supervisory access to data stored with these system providers”.

• This especially gained prominence earlier this year, when a spate of lynchings across the country was linked to WhatsApp rumours.

• WhatsApp’s firm stance on encrypted content frustrated government officials.

• In addition, proponents highlight security against foreign attacks and surveillance, which opponents consider a weak argument in cases of data mirroring.

• Concerns also rose when Facebook declared that its Cambridge Analytica controversy had affected Indian users as well.

Who is against it?

• Industry bodies, especially those with significant ties to the US, have slung heavy backlash.

• A group of industry associations, such as United States-India Business Council, has written to IT Minister Ravi Shankar Prasad against the recent moves.

What do other countries do?

• The think tank European Centre for International Political Economy has found a surge in data localisation measures worldwide over the last decade.

• Russia has the most restrictive regulation for data flow with strict localisation and high penalties.

• The European Union’s General Data Protection Regulation (GDPR) does not mandate all data to be localised, but rather restricts flow to countries with a strong data protection framework.


Mains Paper 3: Internal Security | Challenges to internal security through communication networks, role of media & social networking sites in internal security challenges

Prelims level: Data Mirroring and Localisation, BN Srikrishna Committee

Mains level: Rising cyber crimes and the role data protection bill would play in reducing them.

Share article