Driven by a view that data is wealth (or “new oil”) that needs to be secured and controlled for the development of the nation, India has advocated data localization — the storage of personal data on servers located within the physical boundaries of the country.
As Prime Minister Narendra Modi put it at Davos earlier this year: “Today, data is a real wealth and it is being said that whoever acquires and controls the data will have hegemony in the future. The global flow of data is creating big opportunities as well as challenges.”
Be it the Reserve Bank of India (RBI) or the draft Personal Data Protection Bill, 2018 (PDP Bill), most policy statements linked to data governance have argued in favor of data localization.
But this move to make companies store data locally has faced opposition from global technology giants who favor free flow of data.
A new report from industry body Internet and Mobile Association of India (IAMAI) has cautioned against imposition of data localization norms.
There are a number of concerns with operationalizing data localization, according to the report titled “Digital Technology Policy for India’s USD 5 Trillion Economy” released late last month.
First, the storage of all the country’s critical data within India runs the risk of creating a “honeypot” of such data, which is vulnerable to cyber-attacks, foreign surveillance and other threats, said the report.
Citing a couple of studies, the report went on to argue that data localization may have potentially harmful consequences for the Indian economy.
The European Centre for International Political Economy (ECIPE) has found that economy-wide data localization laws drain between 0.7 per cent and 1.1 per cent of GDP from the economy for no benefit, since “any gains stemming from data localization are too small to outweigh losses in terms of welfare and output in the general economy”, the report said.
“Given the harmful consequences associated with mandatory data localization, it is recommended that the government should reconsider the imposition of ‘hard’ data localization,” said the report.
“Alternatively, an incentive framework should be created to incentivise a voluntary shift to storage on local data servers in India in the long term, without disrupting ease of doing business in the country,” it added.
However, according to Pavan Duggal, one of the nation’s leading cyber law experts, in terms of data localization, the provisions of the PDP Bill go against the stand taken by the Reserve Bank of India.
“The RBI has taken the stand that all banking and payment data related to people of India should be physically stored in India. The proposed data protection bill says you do not need to keep the data in India – only keep a serving copy. That I think will not serve India better. And in all probability, it will hurt India’s sovereign interest,” Duggal told IANS.
Leading tech policy and media consultant Prasanto K. Roy argues that data localization would not adequately address security issues.
“Business wise, it causes extra costs – and not just for foreign firms but for India-based ones as well who are beginning to face the same demands in countries which are looking to India’s localization laws (Indonesia, Vietnam),” he had said.
“Security can be affected in a number of ways by fragmenting networks and platforms. For instance fintech and card companies rely on complex anti-fraud platforms, which further rely on data from across the world,” Roy said.
“If we cut off India from those platforms then not only do they not draw on and learn from India’s data, India also doesn’t benefit from the real-time Artificial Intelligence (AI) and Machine Learning and anti-fraud technology and threat intelligence sharing provided by those platforms,” he added.
However, given the fact that only a few technology giants have access to a huge repository of global data, there is a also a threat of data colonization in the absence of adequate control over data. There is hardly a dispute over the fact that sensitive data needs to be stored locally.