Data Sovereignty in the 21st Century
This is an age of Data. Data haṣ acquired a high priority in the modern era. It has marked its presence significantly in the life of man. In all spheres and walks of life we generate some form of data. Right from the time of waking up in the morning till going to bed at night , we continue to generate and make use of some form of data . In fact while humans are resting, there is data being generated, in the background, monitoring our sleep patterns. For example, man wakes up at a particular time, schedule their meeting(s) for the day, our preferred mode of transport, food joint, even choice of meal, is data in every form. In short, data has come to stay as an indispensable instrument of considerable assistance to mankind at every step.
Countless are the uses which data has conferred upon us. For example, data in many aspects is accurate and gives us a lot of insights into various trends. This always brings precision and accuracy into making predictions.
The Indian Constitution defines sovereignty as the people’s right to make decisions on both internal as well as external matters. And data sovereignty is the foundation stone of data localisation. It allows data about a country’s citizens to be governed within the country before being transferred internationally. Although sovereignty over data mandates to follow a country’s personal or financial data processing laws, data localisation goes beyond, it equally emphasises upon the initial action of collection, processing and storage to occur within the country’s territory.
Under the Data Protection Bill, 2018, right to privacy has been stated to be a fundamental right. It calls for protection of data as an essential element of privacy. The Bill also proposes steps to protect individual interests, prevent misuse and establish rules for cross-border transfer of personal data. The Bill draws its recommendations from the SriKrishna Committee Report, which emphasises upon storage of personal data copy on servers located within India, specifically any sort of critical personal data. It also puts safeguards in place before any transfer of data outside the country is made possible.
In a circular issued by RBI, it was mandated that payment aggregators ought to store data collected through transactions. Many companies, globally, struggled with a strict deadline issued with the RBI notification. Most of the data till now is stored in a cloud, outside India. The concern for global companies has been the infrastructural and higher costs they might have to incur, in order to comply with the RBI directives.
The issue of data localisation has caught everyone’s attention post the Facebook-Cambridge Analytica episode(s). It has raised concerns around accountability and trust issues that we as customers place in the hands of such technological giants. Users tend to share a lot of information both voluntarily and involuntarily by accepting the terms of usage while signing up on such platforms, in order to avail their services.
Data localisation helps secure data and provide data privacy, sovereignty from foreign surveillance of its citizen(s). Unrestrained supervisory access to data would assist the Indian law enforcement agencies to ensure efficient monitoring and prevention of incidence(s). It also ensures National Security through seamless investigation to Indian Law Enforcement agencies since they need to depend upon Mutual Legal Assistance Treaties to obtain access to data. Data localisation would also empower local governments and regulators the jurisdiction to call for data whenever in need. Through the data centres, there is an immense scope of employment. Accountability is one of the major benefits from tech giants like Google, Facebook etc with regards to the end use of collected data. There are also chances of minimal conflict of jurisdiction due to cross border data sharing.
Among the various challenges of data localisation is the maintenance of multiple local data centres, which might lead to a significant investment in infrastructure and higher operational costs for the global companies. India at present is lacking in infrastructure for efficient data collection and management as well. The domino effect of protectionist policies could lead countries to follow suit. One of the reasons could be splinternet or fractured internet. Although the data might get stored locally, the keys to encrypt and decrypt data would still remain out of the purview of national agencies. One of the spillover effects of forced data localisation could be a reduction in data dependent services. This in turn outweighs the benefits of data localisation. Hence, a well thought trade off is something the policy makers need to take into consideration before any concrete steps are taken.
Many countries like China, the United States, Brazil, Indonesia and Russia are either in the process of implementing data localisation laws or have already implemented them. Europe’s new data protection regime under GDPR establishes certain limits on cross border data flow to countries which are yet to have data protection laws in place.
India’s Information Technology enabled Services (ITeS) and Business Process Outsourcing (BPO) industries thrive on cross border data flow. Policies Could be designed prioritising the infrastructure, giving adequate attention to the interests of such thriving industries. India could definitely create frameworks similar to GDPR after thorough analysis of both direct and indirect benefits. The need of the hour is indeed to have integrated long term strategies for establishing policies with regards to data localisation.