Earlier this week, companies around the world scrambled to try and meet a RBI-mandated deadline to store Indian users’ financial data in India, reigniting conversation about “data localisation”. Across ministries and sectors, the government has firmed up its stance on storing data of Indian users in the country, to the discontent of international players and the delight of domestic ones.
The Indian data localisation wave is the latest digital battleground of ongoing power wars between government and industry. As the world weighs free global data flow against national security, what is at stake?
Data localisation is a concept that the personal data of a country’s residents should be processed and stored in that country. Some directives may restrict flow entirely, while others more leniently allow for conditional data sharing or data mirroring – in which only a copy has to be stored in the country.
As of now, much of cross-border data transfer is governed by individual bilateral “mutual legal assistance treaties” (MLATs).
What has happened now to bring this into focus?
The recurring data localisation agenda has bubbled up in a number of government directives or drafts. In early April, the RBI issued a circular mandating that payment data be stored only in India by October 15. This covered everyone from Mastercard and Visa to WhatsApp Payments and PayTM. Currently, the RBI has not instituted any fines for those who have missed the deadline but is seeking schedules of pending data transfers to India.
In late July, a data protection draft law by a committee headed by retired Justice B N Srikrishna recommended that all personal data of Indians have at least one copy in India. A subset of that data, labelled critical personal data, must be stored and processed only in India.
Around that time, a leaked draft of the government’s e-commerce policy recommended localisation for “community data [and] data generated by users in India from various sources including e-commerce platforms, social media, search engines”. It also discussed strategies to “incentivise domestic data storage in India” through facilitating data infrastructure. “There could be, say a 2-year, sunset period for industry to adjust before localisation becomes mandatory,” the report stated.
In August, a Reuters article found that a draft report of a cloud computing policy recommended localisation of Indians’ data. Cloud computing, a service offered by the likes of Amazon and Microsoft, allows customers’ data to be stored on remote data centres.
Who is for it?
A common argument of government officials — both in rhetoric and in law — is that localisation will help Indian law enforcement access data. The April RBI circular stated that “to ensure better monitoring, it is important to have unfettered supervisory access to data stored with these system providers”. This especially gained prominence earlier this year, when a spate of lynchings across the country was linked to WhatsApp rumours. WhatsApp’s firm stance on encrypted content frustrated government officials.
In addition, proponents highlight security against foreign attacks and surveillance, which opponents consider a weak argument in cases of data mirroring. Concerns also rose when Facebook declared that its Cambridge Analytica controversy had affected Indian users as well.
Along with fervent government support, most domestic-born technology companies (which tend to have heavy foreign investments) support data localisation, and most of them store their data exclusively in India. PayTM (backed by Alibaba and Softbank) has consistently supported localisation (without mirroring). Reliance Jio, in a response to TRAI, has strongly argued that data regulation for privacy and security will have little teeth without localisation, citing models in China and Russia.
These companies — domestic rivals of many big US giants — especially condemn the large tax differences between international companies operating in India and those with a permanent establishment in the country. Many argue that localisation would lead to a larger presence in India overall, such as local offices, and increase tax liability.
“Data is the new oil” also provides a backbone to much of the localisation drive. In the home of the largest open Internet market in the world, companies like PhonePe claim that national wealth creation relies on in-house data storage. The e-commerce policy took on a similar stance, championing domestic innovation, and the data protection report also mentioned harnessing India’s digital economy.
Who is against it?
Industry bodies, especially those with significant ties to the US, have slung heavy backlash. A group of industry associations, such as United States-India Business Council, has written to IT Minister Ravi Shankar Prasad against the recent moves.
Many are concerned about a fractured Internet (or a “splinternet”), where the domino effect of protectionist policy will lead to other countries following suit. Much of this sentiment harkens to the values of a globalised, competitive internet marketplace, where costs and speeds, rather than nationalistic borders, determine information flows.
Opponents say that this, in turn, may backfire on India’s own young start-ups that are attempting global growth, or on larger firms that process foreign data in India, such as Tata Consulting Services and Wipro.
Critics not only caution against state misuse and surveillance of personal data, but also argue that security and government access is not achieved by localisation. Even if the data is stored in the country, the encryption keys may still remain out of the reach of national agencies.
What do other countries do?
The think tank European Centre for International Political Economy has found a surge in data localisation measures worldwide over the last decade. Russia has the most restrictive regulation for data flow with strict localisation and high penalties. The European Union’s General Data Protection Regulation (GDPR) does not mandate all data to be localised, but rather restricts flow to countries with a strong data protection framework.
The China government mandates localisation for all “important data” held by “critical information infrastructure” and any cross border personal data transfer must undergo a security assessment.
The United States leaves regulation up to the state and sector. Earlier this year, President Donald Trump signed the Clarifying Lawful Overseas Use of Data Act (CLOUD Act) which established data sharing with certain countries.