Relevance: GS-2: Government Policies and Interventions for Development in various sectors and Issues arising out of their Design and Implementation,
Relevance: GS-3: Challenges to Internal Security through Communication Networks, Role of Media and Social Networking Sites in Internal Security Challenges, Basics of Cyber Security; Money-Laundering and its prevention.
Key Phrases: Mutual Legal Assistance Treaties, Justice Srikrishna Committee report, Data Protection, Data Sovereignty, Data Protection Authority,
Why in News?
- The recent report from the office of the United States Trade Representative (USTR) has criticized the data localization rules which are implemented in India.
- The report also alleges that India’s proposed and implemented several data localization rules could act as an impediment to digital trade and increase the cost of operations of multinational service providers, resulting in some of the smaller firms moving away from India.
- The report fails to recognize the challenges faced by policymakers in monitoring data that is stored in servers outside the country.
Data Localization:
- Data localization is the act of storing data on any device that is present physically within the boundaries of a particular country in which the data are produced.
India’s Rules in Place for Data Protection
- Currently, the only mandatory rule on data localization in India is by the Reserve Bank of India for payment systems.
- The second piece is the Draft Personal Data Protection Bill, 2018 itself which has specific requirements on cross-border data transfers.
- The draft e-commerce policy also has clauses on cross-border data transfer. For example, it suggests that if a global entity’s India subsidiary transfers Indian users’ data to its parent, the same cannot be transferred to a third party, even with the user’s consent.
Status of Data Localization in Other Countries
- Australia and Canada: they protect their health data very carefully
- Vietnam: It mandates one copy of data to be stored locally and for any company that collects user data to have a local office, unlike the EU’s GDPR; citing national interests.
- China mandates strict data localization in servers within its borders. International reports refer to data protection laws in Vietnam and China as being similar, in that they were made not so much to protect individual rights as to allow government to control data.
- For the EU, it is clear that customer is ‘king’. Their GDPR is agnostic to technology and sector.
- Interestingly, the U.S. has no single data protection law at the Federal level. It does, however, have individual laws such as the HIPAA (Health Insurance Portability and Accountability Act of 1996) for health care, another for payments, and the like.
- Brazil, Japan, Korea and New Zealand have put in place data protection laws.
- Chile has recently announced the setting up of an independent data protection authority, while Argentina is currently reforming its privacy legislation.
Importance of Data Localization
- Data Protection:
- The main intent behind data localization is to protect the personal and financial information of the country’s citizens and residents from foreign surveillance and give local governments and regulators the jurisdiction to call for the data when required.
- Revelations of social media giant Facebook sharing user data with Cambridge Analytica, which is alleged to have influenced voting outcomes, have led to a global clamor by governments for data localization.
- National Security:
- Storing of data locally is expected to help law-enforcement agencies to access information that is needed for the detection of a crime or to gather evidence.
- Where data is not localized, the agencies need to rely on mutual legal assistance treaties (MLATs) to obtain access, delaying investigations.
- Technological Growth:
- Machine learning (ML), artificial intelligence (AI), and IoT technology can generate huge value from data. If not used within certain constraints, it can become catastrophic.
- Job Creation:
- On-shoring global data could also create domestic jobs and skills in data storage and analytics too.
- Critical for Law Enforcement:
- According to Justice Srikrishna Committee report, data localization is critical for law enforcement.
- Access to data by Indian law agencies, in case of a breach or threat, cannot be dependent on the whims and fancies, nor on lengthy legal processes of another nation that hosts data generated in India.
- Helping Indian Tech Companies Grow:
- Technology playfields are not even. A developing country such as India may be playing catch-up with a developed nation, which may be willing to offer liberal laws.
- The data localization provides Indian technology companies with an opportunity to develop their perspective from services to products.
Concerns and Challenges:
- Anti-competition: Foreign companies have an advantage over all other Indian firms. They have large social base which provide them with an edge over Indian companies. E.g. Facebook, WhatsApp have a large social media and messaging base that enable them to influence their users. Providing a level playing field to the local firms is difficult.
- Privacy Concerns: The larger concern is related to the of privacy of the citizens. Even if companies agree to set up data localization in India, companies will still have access to data on all transactions, which could be misused. E.g. Facebook can use its social media data linking it with transactions made through WhatsApp.
- Short term solution: Having data in India does not mean that domestic companies will be able to access this data. Localization may help in the growth of the local data centers and the cloud computing industry in India, but such an approach is a short term measure as major of data will be with outside companies.
- Against e-commerce sector: Mandating localization will be against government policy to promote e-commerce. Further mandating a strict data localization regime could be perceived as a trade barrier and will adversely impact India’s economic growth.
- Would impact industry: Data localization will lead to rise in prices of foreign company services. They may increase cost of their services like cloud computing. It will impact industries as well as start-ups relying on these services.
- Burden on judiciary: Due to Data localization conflicts will increase leading to litigations. This will put extra burden on judiciary which is already overburdened.
- Increased Power Consumption: More data centers can mean that India’s renewable energy markets have new, power-hungry customers. This would enable data location to also boost renewable energy in India.
Key Points of B N Srikrishna Committee Report on Data Protection:
- The law will have jurisdiction over the processing of personal data if such data has been used, shared, disclosed, collected or otherwise processed in India.
- Additionally, personal data collected, used, shared, disclosed or otherwise processed by companies incorporated under Indian law will be covered, irrespective of where it is actually processed in India.
- The law will not have retrospective application and it will come into force in a structured and phased manner.
- The Aadhaar Act needs to be amended to bolster data protection.
- An independent regulatory body called Data Protection Authority(DPA) will be responsible for the enforcement and effective implementation of the law.
- The Central Government shall establish an appellate tribunal or grant powers to an existing appellate tribunal to hear and dispose of any appeal against an order of the DPA.
- The state can process data without consent of the user on ground of public welfare, law and order, emergency situations where the individual is incapable of providing consent, employment, and Reasonable purpose.
- Sensitive personal data will include passwords, financial data, health data, official identifier, sex life, sexual orientation, biometric and genetic data, and data that reveals transgender status, intersex status, caste, tribe, religious or political beliefs or affiliations of an individual. However, the DPA will be given the residuary power to notify further categories in accordance with the criteria set by law.
- Cross border data transfers of personal data, other than critical personal data, will be through model contract clauses.
Way Forward:
- India’s digital vision talks about data sovereignty and giving domestic firms an advantage.
- India has a stronger bargaining chip than most nations in pushing for data localization — access to its billion-strong consumer market.
- With the right policy incentives like evaluating both pros and cons of data protection, it is very much needed to take certain measures for storage and the future of India via-a-vis trans-border data flows.
- The importance of the ability to share data is as important as the existence of data itself. Cross-border data flows are and will remain instrumental in shaping the future of the world.
Sources: The Hindu BL
Mains Question:
Q. Recently report by United States Trade Representative has criticized the Indian Data Localization rules. In this context critically analyze the use of data localization in India, also mention the current laws/rules/regulations in place on data localization along with way forward.