Mains Paper 3: Internal Security | Challenges to internal security through communication networks, role of media & social networking sites in internal security challenges
From UPSC perspective, the following things are important:
Prelims level: Data Mirroring and Localisation, BN Srikrishna Committee
Mains level: Rising cyber crimes and the role data protection bill would play in reducing them.
RBI pushes for Data Localisation
- The world weighs free global data flow against national security.
- Companies around the world rushed to try and meet a RBI-mandated deadline to store Indian users financial data in India, reigniting conversation about data localisation.
- The Govt. of India has firmed up its stance on storing data of Indian users in the country, to the discontent of international players and the delight of domestic ones.
- This wave again is the latest digital battleground of ongoing power wars between government and industry.
- It is a concept that the personal data of a country’s residents should be processed and stored in that country.
- Some directives may restrict flow entirely, while others more leniently allow for conditional data sharing or data mirroring – in which only a copy has to be stored in the country.
- As of now, much of cross-border data transfer is governed by individual bilateral “mutual legal assistance treaties” (MLATs).
Why is the issue again in focus?
- In early April, the RBI issued a circular mandating that payment data be stored only in India by October 15.
- This covered everyone every global payments & technology companies and various domestic & foreign prepaid payment instruments (PPIs).
- RBI has not instituted any fines for those who have missed the deadline but is seeking schedules of pending data transfers to India.
Draft Law on Data Protection
- In July 2018, a data protection draft law by a committee headed by retired Justice B N Srikrishna recommended for a copy of personal data of Indians to be in India (data mirroring).
- A subset of that data, labelled critical personal data, must be stored and processed only in India.
- The draft E-com policy recommended localisation for community data and data generated by users in India from various sources including e-commerce platforms, social media and search engines.
- It also discussed strategies to incentivise domestic data storage in India through facilitating data infrastructure.
- There could be, say a 2-year, sunset period for industry to adjust before localisation becomes mandatory a/c to the report.
Why need Data Localisation?
- A common argument by officials is that localisation will help Indian law enforcement access user data.
- Proponents also highlight the security against foreign attacks and surveillance.
- An RBI circular ruled that to ensure better monitoring, it is important to have supervisory access to data stored with these system providers.
- This especially gained prominence when incidences of lynchings across the country were linked to WhatsApp rumours whose stance on encrypted content frustrated government officials.
- Concerns also arose when Facebook declared that its Cambridge Analytica controversy had affected Indian users as well.
Data is the new Oil
- In the home of the largest open Internet market in the world, companies like PhonePe claim that national wealth creation relies on in-house data storage.
- The e-commerce policy took on a similar stance, championing domestic innovation, and the data protection report also mentioned harnessing India’s digital economy.
Arguments in Favor
- Along with government support, most domestic-born technology companies (which tend to have heavy foreign investments) support data localisation.
- Most of these firms store their data exclusively in India.
- Some Indian companies have strongly argued that data regulation for privacy and security will have little teeth without localisation, citing models in China and Russia.
- These domestic companies are rivals of many big US giants and condemn the large tax differences between international companies operating in India and those with a permanent establishment in the country.
- Many argue that localisation would lead to a larger presence in India overall, such as local offices, and increase tax liability and open more jobs.
Argument against data localisation
- Industry bodies, especially those with significant ties to the US, have slung heavy backlash.
- Many are concerned about a Fractured Internet (simply put servers go offline and out of access) due to uncertain protectionist policies.
- Much of this sentiment hampers to the values of a globalised, competitive internet marketplace, where costs and speeds determine information flows, rather than nationalistic borders.
- Opponents say that this, in turn, may backfire on India’s own young start-ups that are attempting global growth, or on larger firms that process foreign data in India.
- Critics caution against state misuse and surveillance of personal data.
- They also argue that security and government access is not achieved by localisation.
- Even if the data is stored in the country, the encryption may still remain out of the reach of national agencies due to company’s privacy concerns.
Crimes across the globe not covered
- The draft bill mandates local storage of data relating to Indian citizens only
- Localisation can provide data only for crimes that have been committed in India, where both the perpetrator and victim are situated in India
- Prevalent concerns around transnational terrorism, cyber crimes and money laundering will often involve individuals and accounts that are not Indian, and therefore will not be stored in India
- For investigations into such crimes, Indian law enforcement will have to continue relying on cooperative models
- India’s major partner, US leave regulation up to the state and sector.
- US also signed the Clarifying Lawful Overseas Use of Data Act (CLOUD Act) which established data sharing with certain countries.
- China mandates localisation for all “important data” held by “critical information infrastructure” and any cross border personal data transfer must undergo a security assessment.
- Russia also has the most restrictive regulation for data flow with strict localisation and high penalties.
- The European Union’s General Data Protection Regulation (GDPR) does not mandate all data to be localised, but rather restricts flow to countries with a strong data protection framework.
- The CLOUD Act seeks to ease control over data from U.S. authorities.
- The law will for the first time allow tech companies to share data directly with certain foreign governments.
- This provides India the data not just for crimes committed within their borders but also for transnational crimes involving their national interests.
- A fundamental error that the Srikrishna Committee seems to have made is in its belief that the location of data should determine who has access to it.
- This scenario will hardly improve even after technology companies relocate Indian data to India.