Context: cyber crimes and data localisation in India
- Requirements for local storage and processing of data are commonly referred to as ‘data localization’ or ‘data residency’ requirements. Data localization can broadly be defined as ‘any legal limitation on data moving globally and compelling it to remain locally.
- Localization policies can take a variety of forms. This could include a specific requirement to locally store copies of data, local content production requirements, or imposing conditions on cross border data transfers that in effect act as a localization mandate
Need for data localization in India:
- Borderless Internet: The borderless nature of the Internet raises several jurisdictional issues on data protection. A single act of processing of personal data could very easily occur across multiple jurisdictions (outside the state territory) where the state may not have the authority to exercise its jurisdiction.
- To address this, not only should the regulation apply to entities (both public and private) within India that process personal data of Indian citizens and residents but it should also be applicable to all kinds of processing carried out on the personal data of Indian citizens and residents.
- Even though such processing may not be entirely based in India or may be carried out by non-Indian entities that do not have a presence in India.
- Cross-border transfer of data: Cross-border data transfer is unavoidable in today’s global and digital age. Data seamlessly and freely flows across borders. This exchange of data leads to exchange of information and ideas which stimulate innovation and drive growth.
- However, it is not always easy for countries to exert control over data that leaves its territorial boundaries. Safeguarding a person’s personal data transferred to an international geography remains a challenge.
- Localization of data: Under data localization, entities are required to store and process personal data on servers physically present within their national boundaries.
- Although this approach helps address concerns over data privacy, security, surveillance and law enforcement to an extent, it increases the burden on businesses by way of increased cost of compliance and may also impact the building blocks of economy which rely on data exchange.
- Impact on MSMEs: In the new age economy, a number of small enterprises are capturing and processing large volumes of data. Further, certain categories of private processing, such as processing carried out by not-for-profit organizations or charitable institutes, may have to be dealt with categorically.
- Online frauds: In recent times, there have been many instances of the hard-earned money of Indians being taken out of bank accounts and charges loaded onto credit cards through online frauds.
- Start-up ecosystem: Another emerging casualty of such cybercrimes is the emerging “startup” ecosystem. We are beginning to see multiple cases where customers of genuine startups, unicorns and Indian businesses have been subjected to online fraud
Impact of data localization:
- Physically locating all data within the territory of a state leads to a significant increase in the capacity of law enforcement agencies to access that information, and consequently surveillance of domestic residents.
- Localization becomes problematic in this context not just because the data will now be under the physical access of the state, but also due to the technical measures likely to be implemented to ensure that the data stays within a country’s boundaries.
- Checks and balances: There is the fact that citizens in countries with poor checks and balances often do not have any real or effective mechanisms to challenge state surveillance mechanisms.
- Additionally, domestic executive agencies will generally pose a greater threat to an individual than foreign agencies, due to the relative ease of applying coercive action within a state’s boundaries
- Fundamental rights: Localization could affect expression rights in a number of ways given that the Internet is built on the principle of easy transfer of information across borders. Localization may also permit greater censorship of domestic dissident or political voices and affect the extent to which Indian content is accessible abroad.
- Government perspective: With the growing usage of encryption techniques, localization in itself may not be a sufficient tool to achieve the desired level of access. As an example, consider the Apple-FBI imbroglio in the United States.
- Where the company refused government requests for help in decrypting data stored in a device in the government’s jurisdiction
- Economic cost: One of the main arguments against mandatory localization stems from the cost that it is likely to impose on businesses and consequently, their consumers and the economy as a whole.
- Widespread localization norms will mean that businesses and other users-both domestic and foreign-will no longer have the flexibility to choose the most cost-effective or task-specific location to store their data. These efficiency losses will ultimately be passed onto consumers in the form of higher costs of service.
- Taking into account factors like energy cost, international bandwidth, ease of doing business and taxation provisions, Cushman & Wakefield (2016) Data Center Risk Index score placed India at thirty sixth position, with a score of 47.84 (out of a highest score of 100)
Way forward: While privacy and data protection are necessary, and data localization may pose its own business challenges, India needs to work out a way to crack cyber frauds and crimes. For this, the country urgently needs a legally-backed framework for a collaborative trigger mechanism that would bind all parties and enable law enforcers to act quickly and safeguard Indian citizens and businesses from a fast-growing menace.