Skip to main content

Data Localisation directive is weak and its intent misdirected

There has been a lot of focus on (personal) data localisation off late, thanks to a policy announced by RBI and also as a part of the Draft privacy bill by justice Srikrishna committee. Both these documents present similar views on the subject of personal data localisation. Essentially, what they say is that any company (body corporate) collecting personal information of Indian citizens, is free to store the data in any part of the world provided they maintain a copy of the data locally within India.

Most multinational companies seem to have a problem with the data localisation requirements, may be because most of these companies are incorporated overseas and would prefer to follow the legal jurisdictions of countries where they are incorporated. Countries such as the United States or even the European Union have personal data processing laws which may necessitate that data processed by companies incorporated in their territories should preferably be stored within their own territories; while the HIPAA or GDPR does not explicitly require that such data is kept in Europe but some of the other clauses of GDPR will be more convenient to comply with if the data was co-located within Europe.

However, even for MNCs who have a significant local presence with local subsidiaries incorporated/registered in India, the data localisation regulation presents a cost implication. Take for example payment processors such as MasterCard or Visa - currently, they host their servers overseas and with the data localisation requirement they will have to set up additional infrastructure in India store a copy of data here. Depending on how voluminous this data is, the additional data store would require significant capital expenditure and maintaining it would incur significant operational costs as well. Further, this would also make this local data store come under the jurisdiction of Indian authorities who may request for access to the data under various other laws such as the IPC [Indian Penal Code] and regulations by RBI and SEBI - complying with such requests will require setting up a team to manage and service the requests - all adding up to the Operational expenditure.

However, as argued by Sachin Bansal and Manish Sabharwal in this piece, these costs notwithstanding, MNCs should fall in line and comply with the regulations given that the regulations are in favour of Indian general public i.e. the MNCs' customers. They also counter argue, that by not mandating that this data should be kept only in India and by allowing this data to be maintained overseas, the regulations have been fair and they do not present significant operational challenges to MNCs or even Indian companies doing businesses overseas.

But if you looked that this clause as a dispassionate external observer, maybe Norwegian national for example, you would realise that this clause which allows the primary data to be kept overseas and only a copy to be maintained within the Indian territory, is actually a very convenient way for the governments and regulators to say that "I don't care what happens to the data of my citizens wherever else it is kept, all I want is to be able to snoop into the personal information of my citizens as and when I want according to the laws defined in my country".

By allowing data to be stored overseas, without any restrictions, the regulators are providing no cover to snooping or leakage of this data from an overseas territory. For example, Indian citizens' data kept on servers of MasterCard, Visa or American Express in their US data centres is open to being snooped by the US government. At the same time, the same data can be accessed by the Indian government or regulators from the local data stores. In effect, there is absolutely no protection for citizens and all provisions of these regulations only facilitate the regulator or government while allowing (or coercing?) businesses to be complicit participants in this game of personal data espionage.
To be fair, I must also add that it isn't trivial for personal data to be accessed by government agencies anywhere in the world. Most personal data such as credit card numbers is kept in an encrypted form and is not visible in plain sight. A hacking attempt on a credit card database, for example, is unlikely to result in stealing of this data. Nevertheless, a government agency with sufficient privileges can get access to this data by using local laws and forcing the company to decrypt the data and provide them a copy. So the risk of data snooping by government is still very real, even though, the actual mechanisms may be complex.
A decade ago one would have called such allegations as baseless but after the revelations by Edward Snowden about the Prism project by the US government, this is a reality and can no longer be swept under the carpet as a figment of someone's imagination.

So what would be the solution one would ask, clearly for a developing nation like India it will not serve well to close its own data economy by mandating that any service provider should store data ONLY within the Indian territory. In the larger interest of a globalised world also, this would not be a welcome restriction. But opening up data to all world governments to facilitate global economy is taking a very narrow view of how data protection can be implemented for citizens of India. Solutions can be sought if one has the will to protect citizen data and not an intention of only allowing access to their information for purpose of government or national interest.

A simple solution would be that storing data is allowed in any part of the world, as long as all personal data is encrypted 'at source' [i.e. when it is collected*] and the encryption key used to encrypt data should be stored exclusively in Indian territory. This way if any government - foreign for Indian - wanted to get access to this data they would need to have access to the key which is kept in India. To access this key they would need to file proper claims under local Indian laws and establish their need to access this data for valid purposes. This mechanism can not only protect personal information from being snooped into by foreign governments but can also be a very effective way of preventing unauthorised or unscrupulous elements within the Indian government machinery from being able to access this data at will. Police or Income Tax officers will not be able to access personal information of citizens just because they happen to represent the government unless they have proper authorization.

The challenge, however, seems to be that regulators and governments are only looking at one side of the picture which is how do they ensure national or government interest rather than focus on protection of citizen personal data.

While I am guilty of not having represented this view to the Justice Srikrishna Committee, I plan to submit this piece of text to the 'Ministry Of Electronics And Information Technology' which will be presenting this bill in the Indian Parliament. I do hope that the government reconsiders data localisation requirements to ensure that the law is front-loaded with considerations of citizens interest rather than only protecting the interests of the government or the nation-state.

* An example of data encryption at source is passwords - when you choose a new password, the actual password is not sent to the website, but rather your password is encrypted by your browser itself and an encrypted 'hash' of the password is sent to the website and the same hash is stored in the servers. Your actual password is not stored by the website.  


Popular posts from this blog

How will travel industry transform post-Covid

Unlike philosophers, journalists and teenagers, the world of entrepreneurship does not permit the luxury of gazing into a crystal ball to predict the future. An entrepreneur’s world is instead made of MVPs (Minimum Viable Product), A/B Tests, launching products, features or services and gauging / measuring their reception in the market to arrive at verifiable truths which can drive the business forward. Which is why I have never written about my musings or hypothesis about travel industry – we usually either seek customer feedback or launch an MVPised version and gather market feedback. However, with Covid-19 travel bans across the globe, the industry is currently stuck – while a lot of industry reports and journalistic conjectures are out, there’s no definitive answer to the way forward. Besides there is no way to test your hypothesis since even the traveller does not know what they will do when skies open. So, I decided to don my blogger hat and take the luxury of crystal gazing

A Guide to Privacy on Social Media [apps]

The recent announcement by WhatsApp to update its privacy terms - and 'accept or leave the app' stance - led to an exodus of users from Whastapp to competing, privacy-conscious apps such as Telegram or Signal. A week after the exodus began, Whatsapp clarified its stance - and WhatsApp's CEO went about providing a long Twitter clarification . And then, many returned, many who considered moving stayed put on Whatsapp. This post is meant for those who are still sitting on the fence - it clarifies questions like: What is this all about? What do I do? Is Whatsapp safe? I've heard Telegram is Russian - so how is it safer than Whatsapp? I can't move because my business contacts are on Whastapp - how do I secure myself? PS: I've modeled this post based on several conversations I've had with friends and family on this subject, dealing with the chain of questions they ask, then objections they raise, then clarifications they seek - and finally the change resistance

Ekla Chalo re

Watched "Bose- The forgotten Hero" on Saturday. Gem of a movie and probably the best of Shyam Benegal. Subhash Chandra Bose has always been an inspiring character in the history for the youth. This post however is not about the movie, its about the lead song 'Tanha Rahee' which is based on the poem 'Ekla Chalo Re' by Gurudev Rabindranath Tagore. I had pasted the English translation of this poem on my blog earlier. However, yesterday I found the original bengali text of the poem and found that the meaning in the above translation was not exact. So I have endeavourer (with the help of Shubham ) to re-translate it into English and Hindi by myself. Here is the output of my work: Bengali Jodi Tor Dak Soone Keu Na Asse Tobe Ekla Chalo re Ekla Chalo Ekla Chalo Ekla Chalore Jodi Keu Katha Na Kai Ore Ore O Abhaga Jodi Sabai Thake Mukh Firae Sabai Kare Bhay Tabe Paran Khule O Tui Mukh Fute Tor Maner Kath