Personal data protection: the key sticking point in Indo-US biz ties
One of the sticking points in the Indo-US business relationship is New Delhi’s insistence on data localisation. It means that the personal data of Indian citizens must be stored on servers located within the physical boundaries of the country.
The Personal Data Protection Bill, which is now before the Parliament select committee, contains this contentious provision. The US technology and e-commerce giants like Google, Facebook and Amazon have opposed this provision, saying it will drive up costs and restrict free flow of cross border information.
“When data localisation is implemented, the costs can go up by 30-60 per cent. A lot of big global companies can probably absorb that but can Indian start-ups afford that? It’s likely that start-ups and small businesses will struggle to absorb the increased costs for data services when data is forced to be stored locally,” the Information Technology Industry (ITI) Council, a US-based global lobby body for technology companies, argued.
Data localisation is a requirement that the government seems intent on implementing — even the national e-commerce policy and the national cloud policy endorse the idea.
The Justice Srikrishna Committee report, which formed the basis for formulating the legislation, advocated local storage of data, citing several benefits. It could simplify and accelerate the process of accessing data by law enforcement agencies for investigation. It could help prevent foreign surveillance of Indian citizens and also boost domestic research in artificial intelligence.
In order to meet this expectation, the companies would need to spend huge amounts on setting up local servers. The experts say this may become a big hurdle for existing companies to operate in India, and new ones to start their operations.
It will particularly impact foreign firms such as Facebook and Twitter, which already have millions of users in India but store their data at remote locations.
“Mandating localisation of all personal data as proposed in the bill is likely to become a trade barrier in the key markets,” the IT industry body Nasscom said. The start-ups from India that are going global may not be able to leverage global cloud platforms and will face similar barriers as they expand in new markets.
Data is the new oil
The absence of relevant regulation has allowed hundreds of companies, including giants like Google, Twitter and MasterCard, to establish lucrative operations in the country. India is the world’s largest mobile data consuming nation. As a result, these firms have been eager to capitalize on the huge opportunity India presents, particularly after being denied similar market access in China.
The success of these companies can be attributed to their ability to collect, analyse and share the data of India’s more than 1.25 billion citizens. This has raised concerns within the country, leading to the demand for exercising greater control over how the data is acquired, stored and shared.
Related news | Ambiguities haunt Personal Data Protection Bill
Reliance chairman Mukesh Ambani has been a prominent voice advocating that Indian data should be owned exclusively by Indian citizens. He had famously called for regulations ending ‘data colonization’ by non-Indian companies. Hailing data as the ‘new oil and wealth’ in the current age, Ambani emphasised the need to ‘migrate, control and ownership of Indian data back to India.’
Given the fact that only a few technology giants have access to a huge repository of global data, there is also a threat of data colonisation in the absence of adequate control over data. The Reserve Bank of India has imposed a hard data localisation mandate on payment systems providers to store payment systems data only in India.
However, the Internet and Mobile Association of India (IAMAI) has cautioned against imposition of data localisation norms.
In its report titled ‘Digital Technology Policy for India’s $5 Trillion Economy’, the industry body has warned that the storage of all the country’s critical data within India runs the risk of creating a ‘honeypot’ of such data, which is vulnerable to cyber-attacks, foreign surveillance and other threats.
It also argued that data localisation may have potentially harmful consequences for the Indian economy.
The European Centre for International Political Economy (ECIPE) has found that economy-wide data localisation laws drain between 0.7 per cent and 1.1 per cent of GDP from the economy for no benefit, since “any gains stemming from data localisation are too small to outweigh losses in terms of welfare and output in the general economy”, the report said.
“Given the harmful consequences associated with mandatory data localisation, it is recommended that the government should reconsider the imposition of ‘hard’ data localisation,” it argued.
The technology policy expert Prasanto K. Roy argued that data localisation would not adequately address security issues. “Business wise, it causes extra costs — and not just for foreign firms but for India-based ones as well who are beginning to face the same demands in countries which are looking to India’s localisation laws,” he says.
“For instance, fintech and card companies rely on complex anti-fraud platforms, which further rely on data from across the world. If we cut off India from those platforms then not only do they not draw on and learn from India’s data, India also doesn’t benefit from the real-time Artificial Intelligence (AI) and Machine Learning and anti-fraud technology and threat intelligence sharing provided by those platforms,” Roy says.
The draft bill on data protection has several ambiguities including the provision on keeping a ‘serving copy’ of all personal data in a server or data centre located in India. The laws in the European Union, Australia and Canada have no such requirement.
Given the growing importance of data protection in an increasingly digitized world, there is a need to strike a balance between the imperatives of the country’s digital sovereignty and the realities of global businesses.