Home , , , � Data Localisation directive is weak and its intent misdirected

Data Localisation directive is weak and its intent misdirected

There has been a lot of focus on (personal) data localisation off late, thanks to a policy announced by RBI and also as a part of the Draft privacy bill by justice Srikrishna committee. Both these documents present similar views on the subject of personal data localisation. Essentially, what they say is that any company (body corporate) collecting personal information of Indian citizens, is free to store the data in any part of the world provided they maintain a copy of the data locally within India.

Most multinational companies seem to have a problem with the data localisation requirements, may be because most of these companies are incorporated overseas and would prefer to follow the legal jurisdictions of countries where they are incorporated. Countries such as the United States or even the European Union have personal data processing laws which may necessitate that data processed by companies incorporated in their territories should preferably be stored within their own territories; while the HIPAA or GDPR does not explicitly require that such data is kept in Europe but some of the other clauses of GDPR will be more convenient to comply with if the data was co-located within Europe.

However, even for MNCs who have a significant local presence with local subsidiaries incorporated/registered in India, the data localisation regulation presents a cost implication. Take for example payment processors such as MasterCard or Visa - currently, they host their servers overseas and with the data localisation requirement they will have to set up additional infrastructure in India store a copy of data here. Depending on how voluminous this data is, the additional data store would require significant capital expenditure and maintaining it would incur significant operational costs as well. Further, this would also make this local data store come under the jurisdiction of Indian authorities who may request for access to the data under various other laws such as the IPC [Indian Penal Code] and regulations by RBI and SEBI - complying with such requests will require setting up a team to manage and service the requests - all adding up to the Operational expenditure.

However, as argued by Sachin Bansal and Manish Sabharwal in this piece, these costs notwithstanding, MNCs should fall in line and comply with the regulations given that the regulations are in favour of Indian general public i.e. the MNCs' customers. They also counter argue, that by not mandating that this data should be kept only in India and by allowing this data to be maintained overseas, the regulations have been fair and they do not present significant operational challenges to MNCs or even Indian companies doing businesses overseas.

But if you looked that this clause as a dispassionate external observer, maybe Norwegian national for example, you would realise that this clause which allows the primary data to be kept overseas and only a copy to be maintained within the Indian territory, is actually a very convenient way for the governments and regulators to say that "I don't care what happens to the data of my citizens wherever else it is kept, all I want is to be able to snoop into the personal information of my citizens as and when I want according to the laws defined in my country".

By allowing data to be stored overseas, without any restrictions, the regulators are providing no cover to snooping or leakage of this data from an overseas territory. For example, Indian citizens' data kept on servers of MasterCard, Visa or American Express in their US data centres is open to being snooped by the US government. At the same time, the same data can be accessed by the Indian government or regulators from the local data stores. In effect, there is absolutely no protection for citizens and all provisions of these regulations only facilitate the regulator or government while allowing (or coercing?) businesses to be complicit participants in this game of personal data espionage.
To be fair, I must also add that it isn't trivial for personal data to be accessed by government agencies anywhere in the world. Most personal data such as credit card numbers is kept in an encrypted form and is not visible in plain sight. A hacking attempt on a credit card database, for example, is unlikely to result in stealing of this data. Nevertheless, a government agency with sufficient privileges can get access to this data by using local laws and forcing the company to decrypt the data and provide them a copy. So the risk of data snooping by government is still very real, even though, the actual mechanisms may be complex.
A decade ago one would have called such allegations as baseless but after the revelations by Edward Snowden about the Prism project by the US government, this is a reality and can no longer be swept under the carpet as a figment of someone's imagination.

So what would be the solution one would ask, clearly for a developing nation like India it will not serve well to close its own data economy by mandating that any service provider should store data ONLY within the Indian territory. In the larger interest of a globalised world also, this would not be a welcome restriction. But opening up data to all world governments to facilitate global economy is taking a very narrow view of how data protection can be implemented for citizens of India. Solutions can be sought if one has the will to protect citizen data and not an intention of only allowing access to their information for purpose of government or national interest.

A simple solution would be that storing data is allowed in any part of the world, as long as all personal data is encrypted 'at source' [i.e. when it is collected*] and the encryption key used to encrypt data should be stored exclusively in Indian territory. This way if any government - foreign for Indian - wanted to get access to this data they would need to have access to the key which is kept in India. To access this key they would need to file proper claims under local Indian laws and establish their need to access this data for valid purposes. This mechanism can not only protect personal information from being snooped into by foreign governments but can also be a very effective way of preventing unauthorised or unscrupulous elements within the Indian government machinery from being able to access this data at will. Police or Income Tax officers will not be able to access personal information of citizens just because they happen to represent the government unless they have proper authorization.

The challenge, however, seems to be that regulators and governments are only looking at one side of the picture which is how do they ensure national or government interest rather than focus on protection of citizen personal data.

While I am guilty of not having represented this view to the Justice Srikrishna Committee, I plan to submit this piece of text to the 'Ministry Of Electronics And Information Technology' which will be presenting this bill in the Indian Parliament. I do hope that the government reconsiders data localisation requirements to ensure that the law is front-loaded with considerations of citizens interest rather than only protecting the interests of the government or the nation-state.

* An example of data encryption at source is passwords - when you choose a new password, the actual password is not sent to the website, but rather your password is encrypted by your browser itself and an encrypted 'hash' of the password is sent to the website and the same hash is stored in the servers. Your actual password is not stored by the website.  

1 Comments to " Data Localisation directive is weak and its intent misdirected "

Leave a comment