An analysis on India’s data localisation policy
India has a lengthy history towards drafting laws to protect its companies. In the process, Indians themselves often suffer. That’s precisely what will happen if the government proceeds with plans to force companies doing business in India to store all customer data locally.
Several laws and regulators are converging on the hotbutton topic of data localisation. The deadline for a Reserve Bank of India mandate for fintech firms to house data only in India lapsed last week. Other norms around holding accounting data dating back to 2014 locally, the draft ecommerce law that requires firms to locally store “community data collected by Internet of Things devices in public space” and “data generated by users in India from various sources including e-commerce platforms.
Google, among others, has complained loudly that the RBI’s six-month deadline is too short. Meanwhile, the government has begun considering a draft data-security law that requires companies bes for all companiesbe physically located within India. The committee that drafted that law overstepped its mandate badly; it was supposed to limit itself to figuring out new rules to protect consumer data and instead focused on growing digital-economy companies. Separately, a government think tank has also produced an e-commerce policy which requires the storage of customer data in India.
There’s a massive explosion in data being generated by connected internet users in India. According to a report by real estate and infrastructure consultancy Cushman and Wakefield, the size of the digital population in India presents a huge potential demand for data centre infrastructure.
The fact is that the arguments used to justify the need for data localization simply aren’t persuasive. Proponents say, first, that places such as China do it. This barely requires a reply: China really shouldn’t be a model for anyone designing a free and open digital economy.
The second argument is that preventing foreign companies from repatriating and making money off of Indian consumers’ data will help Indian companies grow: If data is the new oil, then surely Indian companies should have exclusive access to Indian data they can mine? This nativist instinct is in line with the rest of the national e-commerce policy, which openly seeks to tilt the playing field in favor of domestic companies; the panel that wrote the policy very noticeably excluded members from the big credit card companies, as well as Amazon and Uber.
Technology experts such as Prashant Pradhan, vice-president and CTO (Asia Pacific) of IBM, argues that the physical location of data is irrelevant. Your data can be accessed from a server in Bengaluru or Boston just as easily. In fact, having a mirror of your data in India may actually increase the cost of operation and compliance. What’s more important is the quality, rather than sheer quantity. While terms such as big data were in vogue previously, what companies may be more interested in now is the quality of data they can secure and store. “While the amount of data itself has grown, what isn’t well understood is who has access to this data and what they can do with it,” he says.
Finally, in a particularly Orwellian twist, the government has claimed that keeping data in the country will protect Indians’ privacy. In actual fact, that just means that Indian bureaucrats will be able to get their hands on it. India’s privacy laws are weak; messages can be intercepted just on a senior security official’s say-so, with minimal oversight or accountability, and even this requirement is widely ignored. Moving Indians’ data from the relative security of U.S.-based servers to ones that their own government can access with ease is not going to make them any safer. Most Indians would trust Google’s commitment to its users much more than they would their government’s commitment to its citizens’ privacy. Take UIDAI’s Aadhaar irregularities into consideration.
When governments build barriers to protect companies, then consumers suffer, growth stagnates, and the entire country falls behind the rest of the world. Data localization limits possibilities for India’s vibrant startups; they should be able to locate their servers wherever they want and use whatever cloud services make most sense for them. As for consumers, they have the right to access a free and unfettered internet and to use the highest-quality or cheapest online services they can find. And, certainly, they have the right to store their personal data wherever they want. Moving to a “splinternet” would hurt people and businesses worldwide — but those in India more than most.