Unpacking policy moves for sovereign control of data in India
By Arindrajit Basu, Elonnai Hickok and Aditya Singh Chawla
In a new White Paper, researchers from CyberBRICS partner CIS-India explore the issue of Data Sovereignty, mapping the current Indian policy measures for data localization and reflecting on the goals, challenges and implications of such measures.
The CIS White Paper on “The Localisation Gambit: Unpacking policy moves for sovereign control of data in India” can be freely downloaded here.
The vision of a borderless internet that functions as an open distributed network is slowly ceding ground to a space that is greatly political, and at risk of fragmentation due to cultural, economic, and geo-political differences. A variety of measures for asserting sovereign control over data within national territories is a manifestation of this trend.
Over the past year, the Indian government has drafted and introduced multiple policy instruments which dictate that certain types of data must be stored in servers located physically within the territory of India. These localization gambits have triggered virulent debate among corporations, civil society actors, foreign stakeholders, business guilds, politicians, and governments. This White Paper seeks to serve as a resource for stakeholders attempting to intervene in this debate and arrive at a workable solution where the objectives of data localisation are met through measures that have the least negative impact on India’s economic, political, and legal interests.
We begin this paper by studying the pro-localisation policies in India. We have defined data localisation as ‘any legal limitation on the ability for data to move globally and remain locally.’ These policies can take a variety of forms. This could include a specific requirement to locally store copies of data, local content production requirements, or imposing conditions on cross border data transfers that in effect act as a localization mandate. Presently, India has four sectoral policies that deal with localization requirements based on type of data, for sectors including banking, telecom, and health – these include the RBI Notification on ‘Storage of Payment System Data’, the FDI Policy 2017, the Unified Access License, and the Companies Act, 2013 and its Rules, The IRDAI (Outsourcing of Activities by Indian Insurers) Regulations, 2017, and the National M2M Roadmap.
At the same time, 2017 and 2018 has seen three separate proposals for comprehensive and sectoral localization requirements based on type of data across sectors including the draft Personal Data Protection Bill 2018, draft e-commerce policy, and the draft e-pharmacy regulations. The policies discussed reflect objectives such as enabling innovation, improving cyber security and privacy, enhancing national security, and protecting against foreign surveillance.
The subsequent section reflects on the objectives of such policy measures, and the challenges and implications for individual rights, markets, and international relations. We then go on to discuss the impacts of these policies on India’s global and regional trade agreements. We look at the General Agreement on Trade in Services (GATS) and its implications for digital trade and point out the significance of localisation as a point of concern in bilateral trade negotiations with the US and the EU. We then analyse the responses of fifty-two stakeholders-including civil society groups, corporations and politicians, both in India and abroad, on India’s data localisation provisions using publicly available statements and submissions.
As noted earlier, various countries have begun to implement restrictions on the cross-border flow of data. We studied 18 countries that have such mandates and found that models can differ on the basis of the strength and type of mandate, as well as the type of data to which the restriction applies, and sectors to which the mandate extends to. These models can be used by India to think through potential means of pushing through a localisation mandate.
Given the complexity of technology, the interconnectedness of global data flows, and the potential economic and political implications of localization requirements – approaches to data sovereignty and localization should be nuanced. In this section, we seek to posit the building blocks which can propel research around these crucial issues. We have organized these questions into the broader headings of prerequisites, considerations, and approaches:
From our research, we find that any thinking on data localisation requirements must be preceded with the following prerequisites, in order to protect fundamental rights, and promote innovation.
● Is the national, legal infrastructure and security safeguards adequate to support localization requirements?
● Are human rights, including privacy and freedom of expression online and offline, adequately protected and upheld in practice?
● Do domestic surveillance regimes have adequate safeguards, and checks and balances?
● Does the private and public sector adhere to robust privacy and security standards and what should be the measure to ensure protection of data?
● What are the objectives of localization?
1. Innovation and Local ecosystem
a) The Srikrishna Committee Report specifically refers to the value in developing an indigenous Artificial Intelligence ecosystem. Much like the other AI strategies produced by the NITI Aayog and the Task Force set up by the Commerce Department, it states that AI can be a key driver in all areas of economic growth, and cites developments in China and the USA as instances of reference.
2. National Security, Law Enforcement and Protection from Foreign Surveillance
a) As recognised by the Srikrishna White Paper, a disproportionate amount of data belonging to Indian citizens is stored in the United States, and the presently existing Mutual Legal Assistance Treaties process (MLATs) through which Indian law enforcement authorities gain access to data stored in the US is excessively slow and cumbersome.
b) The Srikrishna Committee report also states that undersea cable networks that transmit data from one country to another are vulnerable to attack.
The report suggests that localisation might help protect Indian citizens against foreign surveillance.
● What are the potential spill-overs and risks of a localisation mandate?
1. Diplomatic and political: Localisation could impact India’s trade relationships with its partners.
2. Security risks (“Regulatory stretching of the attack surface”): Storing data in multiple physical centres naturally increases the physical exposure to exploitation by individuals physically obtaining data or accessing the data remotely. So, the infrastructure needs to be backed up with robust security safeguards and significant costs to that effect.
3. Economic impact: Restrictions on cross-border data flow may harm overall economic growth by increasing compliance costs and entry barriers for foreign service providers and thereby reducing investment or passing on these costs to the consumers. The major compliance issue is the significant cost of setting up a data centre in India combined with the unsuitability of weather conditions. Further, for start-ups looking to attain global stature, reciprocal restrictions slapped by other countries may prevent access to the data in several other jurisdictions.
● What are the existing alternatives to attain the same objectives?
The objective and potential alternatives are listed below:
|Law enforcement access to data||Pursuing international consensus through negotiations rooted in international law|
|Widening tax base by taxing entities that do not have an economic presence in India||Equalisation levy/Taxing entities with a Significant Economic Presence in India (although an enforcement mechanism still needs to be considered).|
|Threat to fibre-optic cables||Building of strong defense alliances with partners to protect key choke points from adversaries and threats|
|Boost to US based advertisement revenue driven companies like Facebook and Google (‘data colonisation’)||Developing robust standards and paradigms of enforcement for competition law|
● What data might be beneficial to store locally for ensuring national interest? What data could be mandated to stay within the borders of the country? What are the various models that can be adopted?
1. Mandatory Sectoral Localisation: Instead of imposing a generalized mandate, it may be more useful to first identify sectors or categories of data that may benefit most from local storage.
2. ‘Conditional (‘Soft’) Localisation: For all data not covered within the localisation mandate, India should look to develop conditional prerequisites for transfer of all kinds of data to any jurisdiction, like the Latin American countries, or the EU. This could be conditional on two key factors:
a) Equivalent privacy and security safeguards: Transfers should only be allowed to countries which uphold the same standards. In order to do this, India must first develop and incorporate robust privacy and security protections.
b) Agreement to share data with law enforcement officials when needed: India should allow cross-border transfer only to countries that agree to share data with Indian authorities based on standards set by Indian law