Data Safety Begins at Home

Milind Deora

‘Data is the new oil’ is a 21st-century buzzword. In the digital economy, data is fuelling the fourth Industrial Revolution, and is the most valuable resource for governments, law enforcement and private industries alike.

In that context, the debate around data localisation has been a recurring point of contention globally. In India, it has recently resurfaced owing to RBI’s April circular mandating the storing of Indians’ data from e-payment and fintech companies locally. The companies were given an October 15 deadline to comply.

Data localisation is a divisive issue in India and globally. GoI argues that the move is imperative to ensure better monitoring and supervision by law enforcement agencies. Indianborn tech firms also tend to be its proponents. Such a move ensures India is collectively responsible for the data of Indians — not just government, but also domestic-born firms and Indian divisions of global companies.

From a national security point of view, allowing Indians’ data to be stored on foreign cloud services is problematic. During my time as a minister in GoI, an informal check conducted by my team revealed that over 70% of central bureaucrats, politicians and ministers used cloud-based services like Gmail for official government purposes. Shortly thereafter, we instituted a revised policy that required only government-allotted email to be used for official business.

Data localisation could provide a massive boost to domestic employment and economy. Setting up the physical infrastructure for local data storage as well as running data centres (and processing and analysing data) would create jobs, and give impetus to entrepreneurial innovation in, say, alternative energy-powered data centres. Localisation will also bring in infrastructure and technology to India, which could contribute immensely in building our indigenous capabilities and developing industries like artificial intelligence (AI) and data analytics.

Some of the biggest opponents are international tech and payment giants like Google, Facebook, Visa and Mastercard, as well as industry bodies and associations, particularly those with interests in the US. Critics warn of the dangers of restricting cross-border data flows, manifesting in the ‘splinternet’ — now common terminology for a fractured, balkanised internet. Another reigning concern is India’s ability to power all the data centres that would need to be set up, since we’re an electricity-scarce country.

But the real grey area, the root of the debate, lies in the question of data security in India. As digital citizens, we must ask: is our data secure in India?

Data centres require essentially two layers of security: physical, where protocols are required to be built into the very infrastructure of the centres to safeguard against physical damage or attacks; and network, to prevent malicious data breaches and hacks. One would assume that a Facebook or a Google would have standardised security protocols for its data centres across the world, and India would be no exception.

However, what India doesn’t have are internal safeguards in terms of data protection and privacy laws like the US and Europe do. Data Security Council of India (DSCI) CEO Rama Vedashree argues that localisation does not guarantee data security, and requires a strong data protection regime. So, one can argue that data could be less safe in India because of this data protection vacuum, because citizens don’t have access to a legal and regulatory framework that safeguards their personal data.

The draft Personal Data Protection Bill, 2018, submitted by the Srikrishna Committee, recommends storing one copy of all personal data in India, and ‘critical’ personal data only within the country. The definition of ‘critical’ was left to GoI to decide, and is now likely to be determined by individual ministries and sectoral regulators. Data localisation, combined with the governmental interpretation of ‘critical’, could well force us to think about protecting our data from State surveillance.

The biggest question in this debate, then, is about the role of the government. Twice a year, Facebook releases a transparency report that highlights the number of data requests made by each country’s government. In the latest, of the 82,341requests, the highest were made by the US government at 32,742, and the second highest by GoI at12,171. For context, that leaves 37,428 requests among the other 102 countries, an average of 367 per country (and several were in single or double digits).

Even though their numbers are a lot higher than ours, the US has a much stricter regime of checks and balances than India. These requests may be perfectly well-intentioned. But what happens when they’re not? What are the protocols for GoI to access our personal data? And how do we ensure that this data is not misused or manipulated for illegitimate purposes?

India’s still a country where law enforcement and investigative agencies are not divorced from politics, which can compromise their independence. Juxtapose this with the US where the president is currently under a special counsel investigation that’s looking into Russian tampering in the 2016 presidential election.

India can definitely benefit from data localisation. But these benefits must not be stymied by a weak data protection regime. When GoI legislates on this, it must incorporate the highest standards of privacy and data protection for its citizens — without compromising national security — even if it means protecting them from GoI itself.