With the Ministry of Electronics and Information Technology (MeITY) having drafted a Bill on protection of personal and sensitive data, new questions have arisen on the unexplored subject of data localisation. Can it impact established players like Amazon or Microsoft, or even start-ups and future companies entering the market? This edition of IEthinc discussed ‘When government moves for data localisation, where does that put business?’. Gopalakrishan S, Joint Secretary, MeitY; Ashish Aggarwal, Senior Director and Head (Public Policy), Nasscom; S Chandrasekhar, Director, Government Affairs at Microsoft; Shagufta Kamran, Associate Director (TMT), US-India Strategic Partnership Forum; Shweta Rajpal Kohli, Country Director (Government Affairs & Public Policy), Salesforce; and Bedavyasa Mohanty, Associate Fellow, Observer Research Foundation were the panel members at the discussion, moderated by Shruti Dhapola, Assistant Editor, The Indian Express.
Gopalakrishan S: The law on this is a work in progress. There has been a draft Bill on data protection, which includes a bit on localisation which has been out for consultation and we have got feedback from 600-plus entities across the world. It’s now been sort of put in place, has to go to Parliament now. Nothing has been final till now.
I would like to say that today the most drastic thing we need is a privacy law. It is true that it is useful when someone keeps a watch on what we browse, what we buy etc; that makes usage user-friendly. But there is something called behavioural surplus, which is then commoditised and made available in the market. So somebody is willing to pay for that surplus to know what will this guy do, what will this lady do. That’s where the debate on the need for privacy comes in. Today, honestly, there is nothing that can say that something that is happening is against the law. Privacy law says something critical is better stored locally. Now you concede two extreme responses, and understand that the golden mean is somewhere in between.
Data which is stored by some x company of y country — I don’t know whether it is safe or not for India, because that is accessible by the foreign government. This is just one point to ponder over. There are issues about what is stored where, and there are technology issues. There are several scare scenarios also. The draft Bill, which is proposed to be brought, deals only with personal data. It is probably a subset of data; it is not that all the data need to be stored in India. That’s where we start and the final product, after feedback from across the world, will be much clearer and much more focused on what it seeks to do. The purpose of the whole thing is bringing in a law that protects privacy. Localisation can be one of the components, not the end of it. It could be one of the components which would serve the ultimate purpose of ensuring that privacy is assured, data is protected and in case if one is put to some harm, then there is some remedy — either that person gets compensation or the person who has breached can be penalised. I think that’s the basic direction in which we are moving.
Ashish Aggarwal: As a consumer, we believe that my data belongs to me. If you cannot actually enforce that right, or that right is not real, then that gap is what the data protection and privacy law seeks to address. That’s been happening globally. The fact that India is doing it is great, particularly from the technology industry perspective. The industry has blossomed on exports by processing the world’s data. Indian companies have done it. In that sense, we know the opportunities that are there as an industry, and we also recognise the conscience of the consumer. And I think that is where we are. The data protection Bill is just one part of the law and deals with personal data. So while the Bill is a work in progress, you have the RBI already taking certain stands on this matter and that law is in effect. We have taken a conscious decision as the banking regulator to say that all payment-related data needs to be stored only in India, which, if you look into how it solves consumers’ concerns, is not very clear. We are at a stage where we are debating while we have an end goal in mind, the means that we want to reach those goals, do they place a kind of obligation on the industry that is worth the effort?
S Chandrasekhar: I would like you to ponder upon one question. Since when did data become valuable? Data actually started becoming valuable when you were able to draw insights from it — because your ability to have massive-scale computing on a global scale became available. That was the time when data became resource. Now if you had strict data localisation 10-15 years back, would you have had products like Google, Facebook coming in, which is analysing so much of data and works in a pattern that it gives the data that is required?
Second thing, is it feasible commercially for every country to have localisation? It would lead to balkanisation of the Internet, and many countries are not in that scale where they can afford localisation. We now come to two or three critical issues — privacy, security and strategic control. Privacy can be assured, like in many smaller countries, without localisation. Security can be assured without localisation. Then comes strategic control, which is part of government policy, and would probably need some amount of localisation. So even as a multinational company, we also say that if there is some very valuable military data, intelligence data or critical data, it need not be put on the public cloud — it can be put on the premise that there are very good technology means to ensure that the data is localised, but the insights can be anonymised, and we can get the benefit of the cloud without data actually flowing out. Now we are trying to wag the dog and not the tail. The kind of such super-sensitive data, which needs to reside in the country under any circumstances, is very miniscule. Now for this miniscule percentage of data, we are bringing up things which are probably threatening a large number of services which are cheap because they are global. Can India develop a Google? Certainly not. Can India develop a Facebook? Certainly not. Now coming to localisation: it is not the localisation mandate by the government which is forcing them to come here, it is the customers. And when you force them to compulsorily put data in India, the cost of the services go high, and people will move out. So a “one size fits all” kind of approach in data localisation will probably be harmful . What I would urge the government is that there is a need for strategic control, there is a need for data classification; there are some very good norms through which we could classify data. Super-criticial data should definitely remain here, definitely be localised. But a vast majority of data should flow freely so that a thousand ideas can bloom.
Shagufta Kamran: Over the last couple of months, we have actually seen a slew of policy measures, draft policy documents, discussion papers coming out from the government, all hinging towards data localisation. We had the RBI directive. Now, one reason that gets cited in support of data localisation is that it allows government access today, or that data becomes more secure when it is of local residents and should necessarily be in the country. Now what we need to really understand is, what is it that we are trying to solve? And given some of the recent statistics that have come out, localisation doesn’t really seem to be the answer. The BPM sector, as per MEITY estimates, stands at $140-150 billion and continues to be one of the highest sectors when it comes to employment. If we look at innovation caused on account of data, that as per recent studies stands at an estimated $10 billion. India happens to be one of the favorite destinations for a lot of global companies on account of research and development facilities. Given those statistics, I personally feel that blocking the country and moving towards the strategy of data balkanisation may not necessarily be in the interest of both Indian firms as well as foreign firms. One of the things I would also like to highlight is, how are start-ups coming up, how are they using data to innovate and come up with solutions? Or be it overall security issues, how does it help, or what are the reasons why it doesn’t really help to have all data in one place? Or also in terms of overall consumer experience or the user experience, how does that get hampered by such balkanisation? In terms of overall framework, there are a lot of existing global frameworks, and as a country, given that we have strongly benefited from cross-border data flows, we should actually work towards more globally aligned frameworks that support the interests of overall Internet economy as a whole and not just one particular segment.
Shweta Rajpal Kohli: I think there can’t be a more challenging and exciting time in the tech policy world. What is happening not just in India but around the world is unprecedented. Yes, we do require robust privacy legislation. It is something economies around the world are grappling with. The policymakers, the regulators are trying to understand what is the best answer to some of the pressing questions that today’s digital economy has posed for us. That is why it is even more pertinent that we arrive at the right answer, because any policy that is made in haste, or without understanding its far-reaching implications, can have an adverse impact not just for businesses but for global economy, digital economy. That is why one principle any policymaker should put to test is the cost-benefit analysis. What are the compulsions of government, policymakers, regulators, politicians, to put in place these data localisation requirements? What are they trying to achieve versus what is it that this could impact. Some of the arguments we have heard very often are: it enhances privacy, it enhances security, it is something we need to do in national interest. The other argument we have heard very often is: it is required for law enforcement, especially at a time when frauds are happening every other day.
Now let us look at the other side. There is a study done by NIPFP, an autonomous think-tank also reporting to the Finance Ministry. The study says sweeping legislation on data localisation would shave off 0.8% from India’s GDP. Obviously we could question those numbers, analyse those numbers, but it would bring down domestic investment by 1.4%. Let me move to the other argument that is made, that we need localisation to enhance safety and privacy. But ask any privacy expert and they would tell you localisation does not advance your security and privacy goals. On the contrary, it actually increases the vulnerability of the data simply because it is residing in one particular location.
India today is the hub of the BPO industry globally. Imagine if every country were to put in place data localisation mandates, imagine the reciprocal impact for a country like India that is today the software hub of the world. That impact is something we haven’t even quantified right now, because the world today is looking at India to see what its privacy legislation will be. If we don’t get this right, and if we make data localisation a flavour and the means to the end that we are trying to achieve, perhaps the impact on the global economy will be very adverse. Those are some questions that regulators and policymakers should analyse before we actually put in place, in haste, data localisation.
Bedavyasa Mohanty: Data localisation is obviously not new. Different governments have been using it as a coercive measure of last resort or threatening it. Now from the Indian government’s perspective, I don’t think cyber balkanisation is a concern because the government believes that as a large market for foreign tech companies, the coercive power is something that only India can wheel today. Whether other countries impose localisation is not really a concern to them. To them, it seems like a win-win scenario. It takes no investment from the government — all the investments will come from the private sector; the data is localised here. And then two or three concerns they have highlighted: law enforcement, foreign surveillance etc will all be solved, so it is win-win. Now while we are looking at the efficacy of the policy, the real question is whether it is a good strategic move or not. One of the biggest complaints that the Indian government, law enforcement, the Ministry of Home Affairs have always had is the time it takes for Indian law enforcement to get data from the United States. When a crime is committed here, when the culprit is here, when the affected party is here, the data is just located elsewhere. The reason why American tech companies aren’t allowed to give the data to law enforcement is because there are restrictions under the Electronic Communication Privacy Act that doesn’t allow any tech company to give the data out to any government upon request. Only the Attorney General can make the request, the Federal court grants the warrant, upon which the data is shared. That is unlikely to change even if data localisation is put into place. They would still not do something that is against the US law.
For the vast variety of data that the data localisation Bill considers, there is only a requirement that you store a copy of the data here and another copy elsewhere. If a foreign government was to intercept some communication, conduct surveillance over users, there is nothing to stop them from attacking the system that are within their territories. So does data localisation solve the foreign surveillance problem? No.
The adverse effect of data localisation is again something that has not been looked into. How will it impact the economy? Data services don’t really require much manpower, it’s not like it is going to generate any sort of employment. Has the government done any assessment of the economic impact to manage these data services? Does it have the capability or the land to do any of these? It hasn’t been looked at yet.
Shruti Dhapola: Is it possible to engineer a product keeping data localisation in mind?
S Chandrasekhar: The answer is yes; for a company like Microsoft, it is possible to engineer products to comply with strict data localisation. But the cost and effort is so high that a company like Microsoft or any global company will probably bypass the Indian market because there are products today available, there are services, features which are available across the world which we don’t operate in India, because the hustle required to reengineer the product is far too much, compared to any possible revenue or benefit that we are likely to get.
Ashish Aggarwal: It is not just about large corporations. Look at the unintended effect. You have start-ups. In the first step, you are sourcing solutions to provide to your client because you don’t want to make solutions. You look for something readymade and bring that to your clients. The data might actually be stored somewhere else — the cheapest and most efficient solution you want to buy. The law applies to everybody, and the threshold for exemption is fairly low. So at this stage, the start-up is going to make choices based on not economy but law. Secondly, start-ups are like — I am in India today, why should I bother for localisation, maybe it gives me some advantage? I think it’s a myopic view, at least for those start-ups who have global aspirations. When we do that, the perceived advantage of local storage becomes a disadvantage because, then, you are stranded with a model which is economically not competitive.
Shagufta Kamran: When we look at product engineering or product solutions today, what we need to look into is that data itself doesn’t have any intrinsic value. It actually is the technology, or the equation the companies have been able to drive through that data, which has become valuable. WhatsApp is an example we all know… If we look at data and product solutions, a lot of companies engineer and reengineer their models. Some have failed, some have succeeded. Secondly, when we look at data localisation as a solution, we have seen some of the biggest giants actually struggle in terms of providing any solution or support, when it comes to even simple government programmes. For instance, when you store all data in one location and tomorrow there is a natural disaster, what is the solution there? Does India really have that kind of capacity and infrastructure to support data structure in India. Those are the immediate points when one thinks of product solution.
Gopalakrishan S: I tend to see a very scary scenario from the rest of the panel. I think it is not that scary. Data localisation is not the solution in its entirety. It is part of the solution. Every country has its own data localisation issues… Some amount of localisation is definitely mandated, it is a debatable issue and that can be worked out. There are several critical sovereign issues which need to be looked at, which we cannot turn a blind eye to. This is not a concern only of India, it is a concern of the US, it is a concern of the EU.
Shweta Rajpal Kohli: Everyone agrees there is a compulsion of policymakers. One has to understand and arrive at the best possible solution. At the same time, when we are looking at policymaking in the tech space, it is very important to ensure that we are not turning the wheel back because we have made certain advancement in technology, we derived certain benefits of globalisation. Today when we talk about making a clear distinction between foreign companies versus Indian companies, nationalism of a very shrill nature is coming in to this debate. We are almost leading to a breakdown of entire model which allowed us to flourish, move forward, and create this digital economy. The whole basis of the digital economy fails the minute we say there are boundaries and there is flow of data. We come back to the question of yes, there is a need; yes, there are certain things we need to address. But are we going to bring damage of a nature that will be very hard to undo? And I also think compliance happens. All companies that will operate in a country will comply by the laws of the land. But is that reason enough to bring in place policies that are sometimes not even possible? That’s the question.