[Ed Note : The following post, the fifth post in the series of posts containing comments to the Report and Draft Bill, 2018 published on the MeitY website, has been authored and compiled by students of NALSAR University of Law. This post contains comments on data localisation framework put forth by the Committee.
The first post in the series can be found here.]
The Data Protection Bill under Section 41 mandates any data fiduciary to store personal data of all data principals in India. It also requires companies process and store all critical personal data only in servers or data centers located in India. This requirement is colloquially known as ‘Data Localisation.’ The report justifies data localisation on several grounds such as easy enforcement, increase in compliance, reduction of foreign surveillance, among others. The following paper will discuss briefly the reasons provided by the Report, it will then critically evaluate the claims, and arguments made by the Committee. It will conclude by arguing against a requirement for data localisation.
Why did the Committee choose mandatory data localisation?
This section will be providing, at the cost of reiteration, the arguments presented by the Report. The Committee initiates its argumentation for data localisation on the ground that law enforcement agencies (LEA) require access to information for the detection of crimes as well as gathering evidence for prosecution. The presence of local copy of the personal data, according to the report, would allow for quicker and more efficient enforcement of laws in India. Presently, eight out of ten of the most accessed websites in India are based in the United States. However, none of these companies have offices in India. Acquiring data from any of these companies is a long and onerous process. The availability of the information is based on the presence of a bi-lateral or a Multi-lateral Agreement Treaty in this specific regard. The requests are passed through several agencies such as the court to the ministry of external affairs to the courts in the foreign jurisdiction before reaching the company. The according to the report is a highly bureaucratic process to access the information, if at all the requests are fulfilled.
The Report also argues that the this would reduce dependency on the fibre-optic undersea cable network this reducing the chances of being vulnerable to attacks. Holding critical information related to the nation inside the borders of the country is necessary for the healthy functioning of the country’s economy among others. The AI ecosystem that the NITI Aayog wishes to develop will receive a massive boost through this move. The growth of AI is directly linked to amount of data available within the jurisdiction, which will be necessary for the development of a local infrastructure. The creation of a digital infrastructure requires this move according to the Report.
It also argues that the chances of foreign surveillance of Indians also reduce. Post the Snowden revelations, the lack of any safeguards for the data of foreigners became clear since the United States legislations do not protect data of foreigners with companies storing their data there.
The Report argues that the cost of storing data in India may not be high, if not for large service providers but for small and medium size service providers. It argues that the costs, firstly, will be worth the spend because of the size of the Indian market and secondly, the cloud storage options available to smaller companies would increase if all data was stored in India.
Lastly, the Report argues that the fears regarding online censorship and chilling effect on free speech are entirely misplaced. It argues that there are other methods of the restricting free speech such as internet shutdowns. That for such restrictions to be possible, it has to be placed in a context of a dysfunctional data law coupled with government intention to use the same. That the images of a completely walled internet similar to China is a caricatured version presented of a post-data localisation web. That the internet in countries has always been shaped by the local context of that country.
What are the problems with mandatory data localisation?
While the arguments in relation to enforceability are well-taken, there are several problems, as this section will argue with regards to mandatory data localisation. While better enforcement of internet related offences is certainly a benefit. The overall benefits of the move however, do not justify the introduction of this move to India.
The argument that India’s dependence on fibre-optic cables will be reduced and allow it to function in times crisis does not hold good. While it is not argued that critical information regarding people’s medical data, financial data and biometrics are not shared outside. This information is necessary for the better functioning of the country especially in times of crisis. However, forcing companies to store local copies of the personal data of individuals does not serve the purpose at any level. This would not reduce the dependency on the cables, since the critical infrastructure being used to process, and compute the data will be available only at the company’s headquarters.[1] The information stored in India will be completely futile.
The AI ecosystem is unlikely to be affected by a mandatory data localisation policy, if anything it could prevent newer companies from coming and testing their products in India. The data stored in India by companies will always be owned by them. The data stored by one company is not transferable to another merely by the virtue of the fact that the data is stored in India. The AI developed by any company will while collecting data be dependent on the proprietary software and hardware of that company or by getting into agreements with other companies to transfer the information to them. The AI will only learn on the basis of the data that is provided to them according to the economic capabilities and interests of the company.[2] If the company wishes to enter the Indian market it will do so by either gathering data by itself or by buying information from the companies that have data on Indians.[3] This transaction can be completed with or without a company necessarily having to store data about Indians in India.
Smaller firms will certainly have options of choosing many cloud storage services in India. However, this will be an additional cost on them regardless. The way smaller companies find foothold in market abroad is through organic marketing wherein they initially gain visibility in a market and then start developing a user-base. The company then chooses to develop or not develop products, if necessary for that market if it seems viable to operate in those markets.[4] This is a pragmatic schema that companies would follow to ensure that their services reach the largest number of people without any additional burden on their operations.[5] As an analogy, if a car manufacturer would have to set up an office in India if even one of its cars was being sold in India. They would simply avoid selling to Indians given cost incurred and the benefits incurred.[6] This is likely to prevent any company from wanting to operate in India.
The argument made about foreign surveillance is flawed since it only looks at one side of the Snowden revelations. The revelations certainly showed that data stored in United States could be accessed at any point. However, the data stored in foreign jurisdictions was equally vulnerable according to the revelations.[7] Lastly, the fears regarding the ability of the government in being able to censor content and the chilling speech are not misplaced.[8] There may be several tools in the governmental arsenal to use and restrict discourse on the internet.[9] However, this does not justify providing more tools to the government in restricting the speech. The enforcement of laws is going to be tougher through MLAT’s is likely to be tough, however, it is a short-sighted move. Especially, given the context in which the government has consistently and unreasonable used internet shutdowns, among other means to curb free speech.[10]
The Internet as it was originally envisaged was developed was to ensure that there is a free-flow of information.[11] This formed the basis of the entire architecture of the network in its initial days.[12] Surely, the manner in which these systems have developed have changed the negotiation and manner of functioning of the internet.[13] However, the primary infrastructure of connecting multiple people remains. This structure of the internet was such to ensure that it stays efficient even scaled and it was this that allowed the internet to grow to the extent that it has today. Forcing companies to store data in India is likely to disrupt this model and prevent any viable growth of the network organically.
Companies in western countries had a head start with regards to the usage of internet because it developed in those countries. Consequently, they were also able to develop better hardware and software to secure the data stored in their servers. This data simply cannot be transferred to any other place suddenly.[14] The transfer of technology with respect to these may take years, not only in terms of legal and economic barriers. There are logistical barriers in setting-up such infrastructure in India. The economic costs itself will disincentivise companies from investing money in India. The Indian market may be large, but this is not enough for anyone to invest in developing such infrastructure in India. Companies may especially be reticent in moving to if the electrical, and technological infrastructure is not well-developed.
[1] Thomas Schultz, ‘Carving up the Internet: Jurisdiction, Legal Orders, and the Private/Public International Law Interface’ (2008) 19 Europe. J. Int’l L. 779
[2] X. Wu, X. Zhu, G. Wu and W. Ding, “Data mining with big data,” in IEEE Transactions on Knowledge and Data Engineering, vol. 26, no. 1, pp. 97-107, Jan. 2014.
[3] A. L. Buczak and E. Guven, “A Survey of Data Mining and Machine Learning Methods for Cyber Security Intrusion Detection,” in IEEE Communications Surveys & Tutorials, vol. 18, no. 2, pp. 1153-1176, Secondquarter 2016.
[4] Delivering Digital Infrastructure – Advancing the Internet Economy Report, April 2014, World Economic Forum.
[5] Helena Ursic; Bart Custers, Legal Barriers and Enablers to Big Data Reuse, 2 Eur. Data Prot. L. Rev. 209 (2016).
[6] Kritika Bhardwaj, Data localisation must go, it damages the global internet, https://www.hindustantimes.com/analysis/data-localisation-must-go-it-damages-the-global-internet/story-Aah1052ExFq6Ylcb9BQ4jJ.html, Hindustan Times, August 03, 2018
[7] Reema Shah, “Law Enforcement and Data Privacy – A Forward-Looking Approach” (2015) 125:2 Yale LJ 543.
[8] Hogan, Mél, and Tamara Shepherd. “Information Ownership and Materiality in an Age of Big Data Surveillance.” Journal of Information Policy 5 (2015): 6-31.
[9] T. Maurer, I. Skierka, R. Morgus and M. Hohmann, “Technological sovereignty: Missing the point?,” 2015 7th International Conference on Cyber Conflict: Architectures in Cyberspace, Tallinn, 2015, pp. 53-68.
[10] Gautam Bhatia, Free Speech Watch, https://indconlawphil.wordpress.com/free-speech-watch/, Indian Constitutional Law and Philosophy; Alexander Plaum, ‘The Impact of Forced Data Localisation on Fundamental Rights’ (Access now 4 June 2014) <https://www.accessnow.org/the-impact-of-forced-data-localisation-on-fundamental-rights/> accessed 15 Feb 2018.
[11] Monroe Price and Stefaan Verhulst, ‘The concept of self-regulation and the internet’ in J. Waltermann & M. Machill (Eds.), Protecting our children on the internet: Towards a new culture of responsibility (Bertelsmann Foundation Publishers 2000) <https://repository.upenn.edu/asc_papers/142/> accessed 15 Feb 2018.
[12] Fraser, E. (2016). Data localisation and the balkanisation of the internet. SCRIPTed: Journal of Law, Technology and Society 13(3), 359-373.
[13] Cyber-Physical Systems <https://www.nist.gov/el/cyber-physical-systems> accessed 15 Feb 2018.
[14] Erica Fraser, Data Localisation and the Balkanisation of the Internet, (2016) 13:3 SCRIPTed 359 <https://script-ed.org/article/data-localisation-and-the-balkanisation-of-the-internet/> accessed 15 Feb 2018.