Security > Cyber Security > Data security
- The emphasis on the requirement of data localisation has been pressing under the data protection laws of various countries, however, with varying magnitudes.
- The latest draft of the data protection law, the Digital Personal Data Protection Bill, 2022, offers a relatively soft stand on data localization requirements and permits data transfer to select global destinations based on some predefined assessments.
WHAT IS DATA LOCALISATION?
- Data localization is the act of storing data on any device that is physically present within the borders of a specific country where the data was generated.
- Data localization is based on the fundamental principles which stipulate that data, being a critical resource in the context of today’s digital world, must be localized and be made locally available within the territorial boundaries of a country.
- For instance, obligations under the European Union’s General Data Protection Regulation (GDPR), obligates businesses in the EU to keep the data secured within the boundaries of the EU.
NEED FOR DATA LOCALISATION:
- Protection of personal and financial information:
- The main intent behind data localisation is to protect the personal and financial information of the country’s citizens and residents from foreign surveillance and give local governments and regulators the jurisdiction to call for the data when required.
- For instance, due to the increasing number of digital payments in the country, the Reserve Bank of India has also mandated payment system data information to be stored in India for better monitoring and safety.
- National security:
- National security and the prevention of foreign snooping may be the rationale behind the regulators' tough stand on data localization.
- For example, data can be weaponized, and Indians, especially state officials, could become vulnerable if Indian regulators were not in total control of all the locally generated data. A person’s debit card history, for example, can be a valuable tool in social engineering and honey-trapping.
- Also, incidents like the Facebook-Cambridge Analytica scandal have sparked a global push by governments for data localization.
- Better access to data for law enforcement:
- The storage of data locally is expected to help law enforcement agencies access information that is needed for the detection of a crime or to gather evidence. Where data is not localised, the agencies need to rely on mutual legal assistance treaties (MLATs) to obtain access, delaying investigations.
- Justice Srikrishna Committee had recommended that if the data concerning local people are stored in India itself, it will strengthen the hands of law enforcement agencies.
- Economic growth:
- Data localization has become one of the drivers of economic growth and employment, especially for underdeveloped countries.
- For instance, data localization requires companies to set up data centres across countries, and these centres often have to be built from scratch. This gives rise to numerous employment opportunities. Such an increase in employment opportunities would have a positive economic impact on the country.
- Proponents of data localization also believe that data should be considered to be a national resource. This means that the government of the nation should have a right on the revenue generated from that resource.
- Just like the inflow and outflow of goods and services are taxed, the movement of data in and out of the nation should also be taxed. These additional taxes can then be used by the government for more social programs.
CONCERNS ASSOCIATED WITH DATA LOCALISATION:
- Makes data security more vulnerable:
- The forced localization could make data security more vulnerable as the data no longer undergoes sharding. This is particularly true of countries with poor IT infrastructure.
Sharding is a method for distributing a single dataset across multiple databases, which can then be stored on multiple machines.
- Moreover, developed countries may use sophisticated tools for data surveillance which can simply forfeit the purpose of achieving data security through relocation.
- May raise operational costs and encourage monopoly:
- Data localisation may increase operational costs as companies would need to spend huge amounts setting up local servers, among other infrastructure costs. This may promote monopolies and the eradication of small and mid-size businesses from the market.
- For instance, stringent data localization norms may severely affect Indian startups, particularly fintech, cloud, and SaaS startups.
A SaaS company is a company that hosts an application and makes it available to customers over the internet. SaaS stands for Software as a Service. This infers that the software sits on a SaaS company’s server while the user accesses it remotely.
- Impact on fundamental rights:
- It has been suggested that data localization could potentially reflect an authoritarian regime and be seen as a tool to enable local surveillance.
- Through the adoption of data localisation laws, a government can increase control over its residents’ online activities, raising the possibility of abuse and putting at risk citizens’ right to privacy and freedom of expression.
- For instance, Section 69 of the IT Act, 2000 allows the Government to intercept, monitor, or decrypt any information stored in any computer under the garb of reasonable restriction provision in Article 19(2) of the Constitution like sovereignty, integrity, security, and public order of India. The misuse and arbitrariness of the Government would have no bounds if unrestricted access to data is provided to the Government.
- Balkanization of the Internet and "splinternet":
- The internet is based on the principle of free movement of data. If this free movement is hindered by the imposition of taxes or by undue protectionism, it will end up destroying the internet.
- Many are concerned about a possible ‘Balkanization of the Internet" and the creation of a fractured Internet (or a "splinternet") broken up into smaller national and regional pieces with barriers around each of the splintered Internets to replace the global Internet we know today.
- Hindrance to global trade:
- Stringent data localization laws, while allowing governments and their law enforcement agencies to work more efficiently, will result in a hindrance to global trade as it affects free flow of data across international boundaries.
- For instance, The United Nations Conference on Trade and Development in their Digital Economy Report found that businesses using the internet for global trade have a higher survival rate than those who do not.
INDIA AND DATA LOCALISATION:
- Digital Data Protection Bill, 2022:
- The latest draft of the data protection law, the Digital Personal Data Protection Bill, 2022, has now been made open for public comments.
- The draft of Personal Data Protection (PDP) Bill, 2019, was withdrawn in August 2022.
- Doing away with the stringent data localisation requirement proposed in the earlier version, the Digital Data Protection Bill, 2022, offers a relatively soft stand on data localization requirements and permits data transfer to select global destinations ("trusted geographies") based on some predefined assessments.
- The government will have the power to specify the countries to which companies can transfer personal data.
- B N Srikrishna Committee:
- The committee proposed that critical personal data of Indian citizens be processed in centres located within the country
- Draft National E-Commerce Policy Framework:
- The policy restricts cross-border flow of critical data of Indian users collected by e-commerce platforms and social media sites.
- The draft e-commerce policy calls for developing more data-storage facilities, data centres and server farms in India. It also favoured creating a legal and technological framework to provide the basis for imposing restrictions on cross-border data flow.
- Osaka Track on the Digital Economy:
- India boycotted the G20's Osaka Track on the Digital Economy, which pushed hard for the creation of laws that would allow data flows between countries and the elimination of data localization.
- In order for localisation-related norms to bear fruit, there has to be broader thinking at the policy level. This may include, for instance, reforming surveillance related laws, entering into more detailed and up-to-date mutual legal assistance treaties, enabling the development of sufficient digital infrastructure, and creating appropriate data-sharing policies that preserve privacy and other third-party rights while enabling data to be used for socially useful purposes.
Q. “Data localization norms should create appropriate data-sharing policies that preserve privacy while enabling data to be used for socially useful purposes”. Discuss the statement by highlighting the significance and concerns associated with data localization.