The Case for Data Localisation in India: Benefits and Challenges
Clive Humble, a data scientist, once said that data is the new oil of the 21st century. It highlights the importance of seeing data in the light of an asset and not just numbers and information on a computer. Various countries have implemented data localisation, realising the importance of data. Data localisation refers to the process in which data is stored, collected, and processed within the boundaries of a nation. It emerges from an idea of data sovereignty, which suggests that states have complete jurisdiction over the data being collected from their country. As the government is due to notify the Digital Personal Data Protection Act (“DPDPA”) soon, analysing India’s stance on data localisation is imperative.
India’s Contemporary Position on Data Localisation
As the digital economy continues to grow in India, the issue of data localisation has become a hot topic of debate. From April 2018, RBI required all covered entities to store financial information within the boundaries of India and clarified all the information required to be stored within India. The IRDAI (Maintenance of Insurance Records) Regulations, 2015, also mandates that data about all policies issued and all claims made in India be stored in India.
The DPDPA also highlights the importance of data localisation. Under Section 16, the Central Government may restrict the transfer of personal data and its processing outside the country’s territory. Previously, the Srikrishna Committee Report also recommended storing at least one copy of data on servers located in Indian territory and that critical personal data should only be stored within the territorial jurisdiction of India.
Perks of Data Localisation
After the Shreya Singhal judgment, the right to privacy has become a fundamental right under Article 21 of the Constitution. Hence, the state should protect citizens’ personal data in the digital world. Limiting data flow to the country’s territorial boundaries will ensure that data is stored and processed in compliance with local laws.
India has the second-largest internet population, and storing such massive data outside its jurisdiction poses a threat. Law enforcement agencies have been denied data multiple times by companies that store the data outside the country. These companies generally refuse to comply with such requests because they do not subscribe to India’s juIndia’sion and are in compliance with the company’s home jurisdiction. Therefore, Indian law enforcement agencies face constraints while accessing data due to conflicts in legal systems. India has signed various mutual legal assistance treaties (MLATs) to resolve the conflicts and get access to data promptly. However, this is not a viable solution for all countries. Data localisation will reduce the constraints in accessing the data during any investigation stage after following the due process of law.
Pitfalls of Data Localisation
The assessment of data localisation policies has to consider their impact on relevant stakeholders, such as companies, agencies responsible for checking compliance, and data fiduciaries. An ICRIER research suggests that a 1% decrease in cross-border data flow can potentially result in a loss of $696.7 million (approximately ₹5900 crores) in trade for India. Companies responsible for storing and processing data find it easier and more convenient to store data in places where they have already established their data centres.
Data centres are expensive to build, and even their maintenance adds to the cost of managing a data centre in a country. The average price per megawatt for setting up a greenfield Tier-4 data centre is around ₹50 crores per megawatt. Therefore, one of the major criticisms of data localisation is its cost-effectiveness. Companies, especially startups, find it challenging to have such advanced data centres and maintain them for an extended period. Therefore, they opt for cloud data processing, where a third-party company handles the data. These cloud data processing companies have already set up massive data centres in other countries. The USA has the maximum number of data centres, as per the data from Data Centre Magazine. India does not find a place in the top ten spots.
Data localisation also limits citizen data access to only the country’s territorial boundaries. Tech giants have collected vast amounts of data and processed it since the inception of the internet to make their services better and more viable for users. Since data outflow will be restricted, companies will find it challenging to collect and process data through institutionalised means.
Conclusion
After almost three decades of uncontrolled cross-border data flow, India opting for data localisation seems counterintuitive. However, data localisation has its perks for developing nations, which, if implemented not in the strict sense as advocated by hard data localisation but in a liberal sense, would help the country harness its full potential. The privacy of the second-largest internet population of a country is cardinal and has to be dealt with considering all the viable options. India indeed will not consider steps like Russia’s LinkedIn and Brazil’s WhatsApp bans.