UPSC 2023 countdown has begun! Get your personal guidance plan now! (Click here)

Context

In 2006 British mathematician Clive Humbly said that Data is the oil of the 21st Century. This has indeed turned out to be true with the rapid growth of the digital economy.
Data plays an increasingly important role as an economic and strategic resource.
In this article, we shall learn about our stand on the issue of data localization and what are the challenges on this front.

The ‘Data’ under debate

Data is any collection of strategic, personal and transactional information that is stored in a way so computers can easily read it.
These days, most people refer to data to mean information about their messages, social media posts, online transactions, and browser searches.
Big data refers to the immense amount of data that can now be collected, stored, and analyzed to find patterns.

What is Data Localization?

Data localization refers to various policy measures that restrict data flows by limiting the physical storage and processing of data within a given jurisdiction’s boundaries.
As per the UN’s digital economy report, 2021 64.2 zettabytes of data were created in 2020 which is a 314 percent increase from 2015.
It can be used to make decisions with economic impacts, environmental impacts or effects on health, education or society in general.
The volume of data in the world is increasing exponentially.

Why is Data important?

This large collection of information about people’s online habits has become an important source of profits.
Your online activity can expose a lot about who you are, and companies find it valuable to use the information to target advertisements to you.
Governments and political parties have also gained interest in these data sets for elections and policymaking.

India’s favor for Data Localization

India’s recent drafts and statements have strong signals for data localization, which means that data of Indians (even if collected by an American company) must be stored and processed in India.
Along with an RBI directive to payment companies to localize financial data, the Ministry of Commerce’s draft e-commerce policy is currently in public consultation.
The IT Ministry has drafted a data protection law that will be introduced in Parliament and has also framed draft intermediary rules that were leaked earlier.
These laws, broadly speaking, could require Facebook, Google, and Amazon to store and process in India information such as an Indian’s messages, searches, and purchases.
In some cases, they restrict what type of data these companies can collect. In others, it requires only a copy of the data to be in the country.
By requiring a copy of the data to be stored in India (data mirroring), the government hopes to have more direct control over these companies, including the option to levy more taxes on them.
The government also argues for data localization on the ground of national security, to prevent foreign surveillance and attacks.

Arguments in favor of data localization

Data accessibility: It will help Indian law enforcement access user data. This especially gained prominence when incidences of lynchings across the country were linked to WhatsApp rumours whose stance on encrypted content frustrated government officials.
Cost saving: Along with government support, most domestic-born technology companies (which tend to have heavy foreign investments) support data localization. Most of these firms store their data exclusively in India.
Privacy protection: Some Indian companies have strongly argued that data regulation for privacy and security will have little teeth without localization, citing models in China and Russia.
Prevent snooping: Secures citizen’s data and provides data privacy and data sovereignty from foreign surveillance. Example – Facebook shared user data with Cambridge Analytica to influence voting.
Employment generation: Many argue that localization would lead to a larger presence of MNC’s in India overall, such as local offices, and increase tax liability and open more jobs.
Corporate accountability: Greater accountability from firms like Google, Facebook etc. about the end use of data. Minimizes conflict of jurisdiction due to cross-border data sharing and delay in justice delivery in case of data breach.

Argument against data localization

Backlash from partner countries: Industry bodies, especially those with significant ties to the US, have slung heavy backlash.
Politicization of issue: Much of this sentiment hampers to the values of a globalised, competitive internet marketplace, where costs and speeds determine information flows, rather than nationalistic borders.
Unease of doing business: Opponents say that this, in turn, may backfire on India’s own young start-ups that are attempting global growth, or on larger firms that process foreign data in India.
Domestic misuse of data: Critics caution against state misuse and surveillance of personal data. They also argue that security and government access is not achieved by localisation.
Huge cost of storage: Huge costs are involved to fulfill data localisation requirements. The servers need 24×7 power supply and the power outages may lead to shutdown of critical ins

Policy moves in India: Data Protection Bill

The Justice Srikrishna Committee in its report accompanying the draft Personal Data Protection Bill notes that eight of the top 10 most accessed websites in India are owned by U.S. entities
The Bill calls for a copy of user data to be mandatorily localized in India.
This reality has often hindered Indian law enforcement agencies when investigating routine crimes or crimes with a cyber element.

Is location sole measure of claiming data rights?

Questions around whether access to data is determined by the location of the user, location of data or the place of incorporation of the service provider have become central considerations for governments seeking to solve the cross-border data sharing conundrum
The Clarifying Lawful Overseas Use of Data (CLOUD) Act, passed by the U.S. Congress earlier this year, seeks to de-monopolize control over data from U.S. authorities
The law will for the first time allow tech companies to share data directly with certain foreign governments
This requires an executive agreement between the U.S. and the foreign country certifying that the state has robust privacy protections and respect for due process and the rule of law
The CLOUD Act creates a potential mechanism through with countries such as India can request data not just for crimes committed within their borders but also for transnational crimes involving their state interests

Identifying the Indian Government’s Stated Goals

The first step is to identify and define the Indian government’s objectives precisely. As explained in the previous section, the following four objectives have been articulated in multiple Indian government documents.

securing faster and better access to personal data for law enforcement
spurring increased economic growth and employment
preventing foreign surveillance, and
better enforcing data protection laws

Way Forward

Conduct a full-scale assessment: To understand the exact requirements and to reach alignment on the necessary actions.
Review the potential market opportunity: This should be done in a particular region or country to determine if it warrants its own IT and data infrastructure.
Define a target state for a possible regional IT and data infrastructure and operations: This should include the extent to which the company will use local providers or set up its own localized capabilities.
Implement proper budgeting and planning: This should include the necessary support from global and regional IT and data teams.
Identify specific security and privacy controls: Given the data types and the severity of the risks, these might include tokenization to protect personally identifiable information (PII) during the migration to local infrastructure and field-level encryption for securing sensitive personal data.
Infrastructure development: Undertake the actual data migration and set up the local infrastructure and operations securely.