Milind Deora
‘Data is the new oil’ is a 21st-century buzzword. In the
digital economy, data is fuelling the fourth Industrial Revolution, and is the
most valuable resource for governments, law enforcement and private industries
alike.
In that context, the debate around data localisation has
been a recurring point of contention globally. In India, it has recently
resurfaced owing to RBI’s April circular mandating the storing of Indians’ data
from e-payment and fintech companies locally. The companies were given an
October 15 deadline to comply.
Data localisation is a divisive issue in India and globally.
GoI argues that the move is imperative to ensure better monitoring and
supervision by law enforcement agencies. Indianborn tech firms also tend to be
its proponents. Such a move ensures India is collectively responsible for the
data of Indians — not just government, but also domestic-born firms and Indian
divisions of global companies.
From a national security point of view, allowing Indians’
data to be stored on foreign cloud services is problematic. During my time as a
minister in GoI, an informal check conducted by my team revealed that over 70%
of central bureaucrats, politicians and ministers used cloud-based services
like Gmail for official government purposes. Shortly thereafter, we instituted
a revised policy that required only government-allotted email to be used for
official business.
Data localisation could provide a massive boost to domestic
employment and economy. Setting up the physical infrastructure for local data
storage as well as running data centres (and processing and analysing data)
would create jobs, and give impetus to entrepreneurial innovation in, say,
alternative energy-powered data centres. Localisation will also bring in
infrastructure and technology to India, which could contribute immensely in
building our indigenous capabilities and developing industries like artificial
intelligence (AI) and data analytics.
Some of the biggest opponents are international tech and
payment giants like Google, Facebook, Visa and Mastercard, as well as industry
bodies and associations, particularly those with interests in the US. Critics
warn of the dangers of restricting cross-border data flows, manifesting in the
‘splinternet’ — now common terminology for a fractured, balkanised internet.
Another reigning concern is India’s ability to power all the data centres that
would need to be set up, since we’re an electricity-scarce country.
But the real grey area, the root of the debate, lies in the
question of data security in India. As digital citizens, we must ask: is our
data secure in India?
Data centres require essentially two layers of security:
physical, where protocols are required to be built into the very infrastructure
of the centres to safeguard against physical damage or attacks; and network, to
prevent malicious data breaches and hacks. One would assume that a Facebook or
a Google would have standardised security protocols for its data centres across
the world, and India would be no exception.
However, what India doesn’t have are internal safeguards in
terms of data protection and privacy laws like the US and Europe do. Data
Security Council of India (DSCI) CEO Rama Vedashree argues that localisation
does not guarantee data security, and requires a strong data protection regime.
So, one can argue that data could be less safe in India because of this data
protection vacuum, because citizens don’t have access to a legal and regulatory
framework that safeguards their personal data.
The draft Personal Data Protection Bill, 2018, submitted by
the Srikrishna Committee, recommends storing one copy of all personal data in
India, and ‘critical’ personal data only within the country. The definition of
‘critical’ was left to GoI to decide, and is now likely to be determined by
individual ministries and sectoral regulators. Data localisation, combined with
the governmental interpretation of ‘critical’, could well force us to think
about protecting our data from State surveillance.
The biggest question in this debate, then, is about the role
of the government. Twice a year, Facebook releases a transparency report that
highlights the number of data requests made by each country’s government. In
the latest, of the 82,341requests, the highest were made by the US government
at 32,742, and the second highest by GoI at12,171. For context, that leaves
37,428 requests among the other 102 countries, an average of 367 per country
(and several were in single or double digits).
Even though their numbers are a lot higher than ours, the US
has a much stricter regime of checks and balances than India. These requests
may be perfectly well-intentioned. But what happens when they’re not? What are
the protocols for GoI to access our personal data? And how do we ensure that
this data is not misused or manipulated for illegitimate purposes?
India’s still a country where law enforcement and
investigative agencies are not divorced from politics, which can compromise
their independence. Juxtapose this with the US where the president is currently
under a special counsel investigation that’s looking into Russian tampering in
the 2016 presidential election.
India can definitely benefit from data localisation. But
these benefits must not be stymied by a weak data protection regime. When GoI
legislates on this, it must incorporate the highest standards of privacy and
data protection for its citizens — without compromising national security —
even if it means protecting them from GoI itself.