Beruflich Dokumente
Kultur Dokumente
it could prove to be a huge blow to tech giants such as Amazon and Microsoft, who have been
offering these services for Indian companies for a while now
Experts from across the globe are of an opinion that citizen data should be stored in
local data centres and therefore efforts are being made to restrict the movement of data
outside the country’s border. Apart from GDPR in EU, China has also brought up a cloud
computing law. The idea is to store information locally so that authorities can have an
easy access to data to ensure security or conduct investigation.
As far as the Indian data localisation policy is concerned, reports suggest that a forward-
looking data protection regime is needed because India’s IT laws don’t cover cloud
computing sufficiently or in detail. Moreover, data sovereignty has been a leading
agenda of the government as suggested in the draft of National Digital Communications
Policy released earlier this year
As India is keen on introducing data protection laws, it comes as a no surprise that the
government is looking to promote data localisation and streamline crucial areas like
digital payments and e-commerce, among others.
The need for localisation comes at a point when there is a worldwide debate going on
around the global security and how companies store user data. While the need of for
data localisation has been there for a long time, it got intensified after the RBI advised
payment system operators in the country to store customer data locally to prevent
possible foreign surveillance. Other instances such as the Cambridge Analytica-
Facebook scandal has also called for a need to restrict data flow.
Amidst all the discussion, Paytm has come up with its own Make In India version of the
AI cloud for storing data locally.
With this move, global cloud service providers like Google, Amazon and Microsoft will
be drastically affected, owing to their significant presence in the country.
The only way forward would be to build additional data centres locally and ensuring
that there is no flow of data from domestic to foreign data centres, accidentally or
programmatically. Given that several global companies already exist in the marketplace,
it might be hard to completely eliminate them. However, a little tweaking might make
them suitable to compete with the local market.
While most experts believe that there would be no long-term negative impact on the big cloud
players, Mozilla in a blog post had written that a data localisation mandate would undermine
user security, harm the growth and competitiveness of Indian industry, and potentially burden
relations between India and other countries.
Apart from the impact on local and global cloud providers, the larger impact of
restricted cloud market could be seen on other companies, especially those startups
that rely on customer datasets to power their artificial intelligence models. Data-driven
technologies such as AI and the internet of things might find it hard to comply with data
localisation requirements.
That is because, these models are largely trained on global data as of now, and to change
bases to Indian datasets might be a challenge. It also raises a question if these changes
in regulation would be robust enough to handle global startup innovation.
Outlook
Having local control of data has its own advantages and challenges. On one hand, while
it would trigger the cost for public cloud storage to go up owing to the need to expand
data centre capacity, it also calls for various permits to have in place. While the panel
intends to address this by developing a national cloud strategy that could bring cloud
service providers under a single regulatory and policy framework, it would take its own
sweet time to streamline the process
Both Indian and foreign companies, particularly from the US, have protested. They are right to do so.
Such data localisation measures are on the rise around the world. Frequently they use legitimate
concerns such as cyber security or privacy as covers for old-fashioned protectionism. In India’s case,
the moves have been egged on by domestic companies, including data centre and digital payments
groups, trying to keep out foreign competition. This is short-sighted. India has benefited mightily
from its IT industry engaging with the world economy. A boost for a few Indian companies will be
outweighed by lower efficiency from using relatively expensive domestic data storage, and by the
loss of foreign processing business.
Yet a properly-constituted system of free data flow could have clearly defined safeguards to protect
the privacy and security of personal information. The best solution would be clauses written into
trade agreements — or a standalone treaty — guaranteeing the exchange of information subject to
that condition
However, the recent Cambridge Analytica scandal has proven that free market
mechanisms leave much to be desired in securing data and protecting the privacy
of individuals. When a large, middle-income country rapidly becomes data rich,
there are obvious concerns about the challenges related to the usage, privacy,
and protection of the individual’s data given the greater scope for misuse
Aadhar is already embroiled in privacy issues, as is India Stack. The latest concerns
involve India Health Stack, the digital backbone to the National Health Protection
Scheme being launched by the government. It intends to combine disease
registries, personal health records, a coverage and claims platform, and a health
analytics platform. However, the open application program interfaces (APIs) used
by Health Stack have raised concerns related to privacy of individual health
records. Individual health data is particularly sensitive in nature and can be
misused for profit, manipulated, or used to discriminate against the data subject.
he wave of data localisation policies suggest that a marked regulatory shift is underway.
National localization is creating tension within trade negotiations such as RCEP, NAFTA,
and TiSA in which countries like the United States, Singapore, Thailand and Japan, along
with tech companies, are seeking to prohibit data localization practices.
Although governments push for data localization to achieve diverse policy goals, there is
an inherent conflict between the logic of most data localization efforts and the policy
objectives that countries pursue by participating in free trade agreements. Resolving
localization demands and reconciling conflicting ideologies and interests may be
difficult to achieve through trade agreements.
Reports suggest that cross-border data flows contributed $2.8 trillion to the global economy in
2014, which is expected to touch $11 trillion by 2025. Data has often been referred to as the new
oil, an economic resource, that is fuelling the fourth industrial revolution.
However, many governments have been inclined towards restricting cross-border data flow and
mandating localisation of certain data. It remains to be seen whether curbs on cross-border data
flows will lead to the anticipated enhancement of data privacy, sovereignty and security, or are
we merely heading towards a Walled Wide Web without meeting these objectives.
Also, the possibility of triggering a vicious cycle of data localisation requirements by other
countries as a response to India’s possible data localisation mandate will be detrimental for the
global data economy.“Information technology, which has been one of the leading drivers of
globalisation, becomes one of its major victims.”
The rationale behind such mandates has been attributed to various factors, such as: securing
citizen’s data, data privacy, data sovereignty, national security, and economic development of
the country. The extensive data collection by technology companies, due to their unfettered
access and control of user data, has allowed them to freely process and monetise Indian users’
data outside the country.
the advent of cloud computing raises important questions on accountability of service providers
who store Indian users’ data outside of the country’s boundaries, leading to a conflict of
jurisdiction in case of any dispute.
Domestic and foreign businesses engaged in developing data driven new age technologies such as
Internet of Things and Artificial Intelligence may also find it hard to comply with data
localisation requirements
Adequate infrastructure in terms of energy, real estate, and internet connectivity also needs to
be made available for India to become a global hub for data centres. Promoting confidence in
users without sacrificing expectations of privacy, security, and safety must also be worked upon
The innovation boom can be attributed to the freedom that the internet granted by breaking
down global barriers. Data-sharing across continents in the blink of an eye, and storing and
processing data using cloud-based technology proved cost-effective and permitted small-
businesses to compete on an equal footing with big corporations
The European Union recently released its GDPR — General Data Protection Regulation — that
aims to standardise data privacy laws across the EU. The GDPR is an essential update to an older
1990s’ regulation — and addresses how data is collected, stored and processed in the world
today.
The GDPR aims to provide EU citizens with greater rights and transparency over their personal
data. Any organisation that deals with EU citizen data, in any capacity, is covered under the
GDPR — even if the data is stored outside the EU or in a cloud. This takes into account the fact
that in today’s times of multinational corporations and cloud-storage, the location of the data
should be irrelevant to whether it is protected by law
The GDPR adopts a more protectionist policy through the ‘Adequacy Principle’. There has been
widespread debate about how the GDPR affects developing countries in particular since it
stipulates that EU citizen data can only flow to countries that also implement a similar level of
data protection and those the EU deems “adequate”. The European IT market is growing at three
times that of the US’ and there is a large potential for Indian IT to leverage opportunities in those
regions. Since the EU is a large bloc of 500 million customers, countries that do not comply with
GDPR requirements risk affecting their data-sharing and cross-border flow. With data being one
of the most valuable assets traded in this era, how does that affect our free trade agreement with
the EU?
Before the EU GDPR was finalised, a Deloitte study estimated its economic impact on the
European economy: reduction of GDP by €173 billion (1.34 per cent of GDP in EU-27) leading
to a loss of 2.8 million jobs — combined effect from only four sectors: web analytics, direct
marketing, online behavioural advertising and credit information
Both approaches are attempts to achieve data protection However, the US approach continues
to encourage and promote free market growth while making organisations accountable for
privacy violations. It’s not surprising that the world’s most innovative companies have emerged
from the US and not the EU
India will need to be flexible and adapt to greater demands for data processing. Global
requirements for data processing are only bound to increase with the advent of Internet of Things
(IoT). With IoT, large amounts of data will be generated on a regular basis from consumers and
corporations alike.
Real-time processing demands will increase in order to make sense of the data and glean
meaningful business insights. Restricting this growth in India will only increase the risk of losing
business to other developing countries and reduce our competitive advantage. Long-term data
policies will provide a greater advantage to India-based corporations and increase employment of
our working-age population.
These measures have unnerved some tech companies who fear it will
increase their infrastructure costs, hit their global fraud detection
analytic platforms and affect planned investments in India at a time
when more and more Indians are going online and using digital
payments
Impact on small business
Micro, small and medium enterprises (MSMEs) contribute 37 per cent of India’s GDP.
This contribution could increase to 48 per cent through increased digitisation and these
businesses benefit from cross-border data flows. Cloud-based computing is cost-
effective for small businesses and consumers, enabling significantly reduced IT costs
while being competitive in the global market against bigger players. Mandating that data
be physically stored in India could drastically increase costs for MSMEs in particular,
hindering the Digital India mission.
Therefore, any policy boosting this industry greatly contributes to our growing GDP and
the opposite could hamper growth rates.
Impact on infrastructure
With more customers preferring digital payments, the volume of data handled by
payment operators is increasing exponentially. Large data centres will have to be
physically located in India. Fundamental requirements for running these data centres are
power, cooling, and sophisticated security measures.
Almost 32 million homes in India have no electricity. A proliferation of local data centres
may negatively impact the initiative of providing electricity to all rural areas, as well as
power consumption in urban centres.
ENVIORENMENT
Data centres consume up to three per cent of all global electricity production and
produce 200 million tonnes of carbon dioxide, according to the National Resources
Defence Council (NRDC). Companies with data as the main commodity have some of
the highest carbon footprints, owing to their data centres. Carbon emissions from
Bangalore’s Tulip data centre are as high as 900 grams per kilowatt-hour, due to the
amount of power required to cool data centres in warmer countries.
Data centres consume up to three per cent of all global electricity production and
produce 200 million tonnes of carbon dioxide, according to the National Resources
Defence Council (NRDC). Companies with data as the main commodity have some of
the highest carbon footprints, owing to their data centres. Carbon emissions from
Bangalore’s Tulip data centre are as high as 900 grams per kilowatt-hour, due to the
amount of power required to cool data centres in warmer countries.
While India is on track to obtaining 10 per cent of its year-round power from renewable
energy sources by 2019, the power generated will still be too low to sustain large data
centre operations.
Recommendations
Sensitive data is often encrypted and legal justification is required prior to obtaining
encryption keys. The physical location alone does not guarantee access to the data.
Storing data in different jurisdictions mitigates the risk of damage due to natural
disasters and ensures business continuity.
India can leverage Mutual Legal Assistance in Trade Matters (MLATs), which enables
data-sharing between countries in the event of fraud or security concerns. There are
data privacy frameworks such as the APEC Privacy Framework and the Global Privacy
Enforcement Network, which permit free trade while providing the necessary structure
for interoperability and cooperation.
The United States recently passed the CLOUD Act, which encourages bilateral
agreements between the US and other countries to efficiently access data when
required by the law, irrespective of where the data is stored.
In India’s case, the moves have been egged on by domestic companies, including data centre and
digital payments groups, trying to keep out foreign competition. This is short-sighted. India has
benefited mightily from its IT industry engaging with the world economy. A boost for a few Indian
companies will be outweighed by lower efficiency from using relatively expensive domestic data
storage, and by the loss of foreign processing business. The measures are a further move towards
breaking up the world into a series of data regimes, a phenomenon sometimes named the
“splinternet”. This could seriously retard the growth of data-enabled innovation beyond simply the
delivery of online services.
Yet a properly-constituted system of free data flow could have clearly defined safeguards to protect
the privacy and security of personal information. The best solution would be clauses written into
trade agreements — or a standalone treaty — guaranteeing the exchange of information subject to
that condition
Thus, after this policy has been successfully implemented, we would end up creating
some local monopolies that would function exactly like foreign monopolies with little
concern for Indian consumers and India
These regulations are alarming for economic and political reasons. One, it
increases cost for companies, especially MNCs. Second, data localisation
restrictions can negatively impact GDP of countries mandating it. Third,
such policies often reflect an authoritarian regime and are seen as a tool
to enable local surveillance. Fourth, they also increase the cyber
vulnerability and restrict access of SMEs to global services.
n addition, proponents highlight security against foreign attacks and surveillance, which
opponents consider a weak argument in cases of data mirroring. Concerns also rose
when Facebook declared that its Cambridge Analytica controversy had affected Indian users
as well.
Along with fervent government support, most domestic-born technology companies (which
tend to have heavy foreign investments) support data localisation, and most of them store
their data exclusively in India. PayTM (backed by Alibaba and Softbank) has consistently
supported localisation (without mirroring). Reliance Jio, in a response to TRAI, has strongly
argued that data regulation for privacy and security will have little teeth without localisation,
citing models in China and Russia.
Many are concerned about a fractured Internet (or a “splinternet”), where the domino effect
of protectionist policy will lead to other countries following suit. Much of this sentiment
harkens to the values of a globalised, competitive internet marketplace, where costs and
speeds, rather than nationalistic borders, determine information flows.
Opponents say that this, in turn, may backfire on India’s own young start-ups that are
attempting global growth, or on larger firms that process foreign data in India, such as Tata
Consulting Services and Wipro.
Critics not only caution against state misuse and surveillance of personal data, but also argue
that security and government access is not achieved by localisation. Even if the data is stored
in the country, the encryption keys may still remain out of the reach of national agencies