Data Localisation

it could prove to be a huge blow to tech giants such as Amazon and Microsoft, who have been
offering these services for Indian companies for a while now

Experts from across the globe are of an opinion that citizen data should be stored in
local data centres and therefore efforts are being made to restrict the movement of data
outside the country’s border. Apart from GDPR in EU, China has also brought up a cloud
computing law. The idea is to store information locally so that authorities can have an
easy access to data to ensure security or conduct investigation.

As far as the Indian data localisation policy is concerned, reports suggest that a forward-
looking data protection regime is needed because India’s IT laws don’t cover cloud
computing sufficiently or in detail. Moreover, data sovereignty has been a leading
agenda of the government as suggested in the draft of National Digital Communications
Policy released earlier this year

Need For Data Localisation

As India is keen on introducing data protection laws, it comes as a no surprise that the
government is looking to promote data localisation and streamline crucial areas like
digital payments and e-commerce, among others.

The need for localisation comes at a point when there is a worldwide debate going on
around the global security and how companies store user data. While the need of for
data localisation has been there for a long time, it got intensified after the RBI advised
payment system operators in the country to store customer data locally to prevent
possible foreign surveillance. Other instances such as the Cambridge Analytica-
Facebook scandal has also called for a need to restrict data flow.

Amidst all the discussion, Paytm has come up with its own Make In India version of the
AI cloud for storing data locally.

Impact On Global Players

With this move, global cloud service providers like Google, Amazon and Microsoft will
be drastically affected, owing to their significant presence in the country.
 The only way forward would be to build additional data centres locally and ensuring
that there is no flow of data from domestic to foreign data centres, accidentally or
programmatically. Given that several global companies already exist in the marketplace,
it might be hard to completely eliminate them. However, a little tweaking might make
them suitable to compete with the local market.

While most experts believe that there would be no long-term negative impact on the big cloud
players, Mozilla in a blog post had written that a data localisation mandate would undermine
user security, harm the growth and competitiveness of Indian industry, and potentially burden
relations between India and other countries.

Apart from the impact on local and global cloud providers, the larger impact of
restricted cloud market could be seen on other companies, especially those startups
that rely on customer datasets to power their artificial intelligence models. Data-driven
technologies such as AI and the internet of things might find it hard to comply with data
localisation requirements.

That is because, these models are largely trained on global data as of now, and to change
bases to Indian datasets might be a challenge. It also raises a question if these changes
in regulation would be robust enough to handle global startup innovation.

Outlook

Having local control of data has its own advantages and challenges. On one hand, while
it would trigger the cost for public cloud storage to go up owing to the need to expand
data centre capacity, it also calls for various permits to have in place. While the panel
intends to address this by developing a national cloud strategy that could bring cloud
service providers under a single regulatory and policy framework, it would take its own
sweet time to streamline the process

 From EU to China: In EU, the GDPR doesn’t have a hard localisation

mandate — it merely says that cross-border data transfer can only happen if
the other country has adequate safeguards for data. China, Russia and
Vietnam have toyed with localisation. We’re trying to move to a world with free
flow of data cross-border while protecting privacy. Stickiest issue is law
enforcement access to data. (Nehaa Chaudhari, Public Policy Lead, TRA
Law)
 Alongside China and Russia: India now stands alongside China and Russia
as far as localisation is concerned. This law mandates all types of personal
 data to be stored locally. (Venkatesh Krishnamoorthy, Country Manager for
India, BSA: The Software Alliance)
 Another approach for law enforcement access: In the US, the CLOUD Act
allows tech companies to immediately share data with foreign governments
and vice versa under executive agreement with the US president. We need
this kind of procedural clarity. The bill doesn’t do this. If you are serious about
sovereignty, this macho idea of let’s store in India and worry about the rest
later is not going to work. (Nayantara Ranganathan, Internet Democracy
Project)

 No precedent for India’s localisation push: The localisation provision in the

bill is completely unprecedented outside of certain specific regimes like China
and Russia which have a completely different political and civil rights outlook.
If you look at countries comparable with India, there is nobody asking for all
personal data to be stored locally. (Vinay Kesari, Independent Lawyer)
 Why tech companies respect privacy more in the west: In the US,
companies push back on government requests out of fear of backlash from
users as well as their own employees. Look at how Amazon and Google
employees revolted against the companies’ use of AI and facial recognition
technology in the military and law enforcement. Do you think Indian offices
and users would revolt like this? That’s why India-based businesses don’t
push back. (Vinayak Hegde)

 Localisation vs Cross-border data transfer: Having one serving copy of

personal data within the country is an area of concern. Two aspects: one is
data localisation, and other is permitting cross-border data flows. We are
concerned about the localisation mandate. (Krishnamoorthy)
 All eggs in one basket bad for security: One large concern is security. It
makes little sense to have all data stored in one country with one service
provider. Ideally companies use redundant datasets all over the world. We are
creating a honeypot situation here. (Krishnamoorthy)
 Costs will go up: Cloud services are able to provide cheap services with
credits to users in India because they’re able to harness the power of global
digital data flows. It’s the customers’ choice to choose where to store their
data. (Krishnamoorthy)
 On new apps who have to comply with regulations: it’s very possible that
new services by companies won’t be available in India immediately. What’s
picking up now is microservices — they are so niche that they appeal to a
global audience as soon as they’re launched. Indians make these as well. So
a legislation like this, how would it impact such services? It’s unclear.
 Companies may reduce security to comply: Aside from taking a
beating on costs, businesses might opt for sub-optimal solutions to be
compliant with regulations. That doesn’t give good value to the
company or to the consumer. Forget about being locked out of
 innovation, we might actually go back in time. As costs go up, the
consumers will bear it. Localisation comes with costs for businesses.
For small businesses, it comes at a considerable cost. (a member of the
audience)
 Redundancy may not happen: Many of the conversations on mirroring
assume that there will be one copy residing outside India too. That may
not happen if costs don’t align — security through redundancy is also
possible by having two datacenters in the same country. (a member of
the audience)
 Privacy vs access: We need to separate privacy from access.
Localisation does not improve privacy. The internet is globalised and
breaches can happen from anywhere. Mirroring only increases that
possibility. (Vibhakar Bhushan, CCICI)
 Technical localisation challenge: Assumption being made is that
datasets and architecture of large applications is simple, and already
partitioned by country and so on. That’s not necessarily the case.
Application architectures and how data is extremely complex and
localisation may require full re-architecture of the data. (Vikas Mathur,
CCICI)
 A careful reading suggests that this directive has divided payment
transactions into two legs, i.e., an Indian leg and a foreign leg. If a system
provider’s entire payment processing cycle, including that of its service
providers, intermediaries, etc. is happening within India, then such a system
provider (and related entities) can store entire payment transactions in India
only. However, if a part of the transaction process is happening in a foreign
territory then the data from that part of the transaction would be out of the
purview of this directive.
 This directive may lead system providers, including the companies offering
and selling retail/business services to Indian consumers, to reassess their
payment transaction models. The location of payment gateways and such
intermediaries, whether within or outside India, is now a critical business
decision for foreign e-commerce companies to consider in the near future.

Both Indian and foreign companies, particularly from the US, have protested. They are right to do so.
Such data localisation measures are on the rise around the world. Frequently they use legitimate
concerns such as cyber security or privacy as covers for old-fashioned protectionism. In India’s case,
the moves have been egged on by domestic companies, including data centre and digital payments
groups, trying to keep out foreign competition. This is short-sighted. India has benefited mightily
from its IT industry engaging with the world economy. A boost for a few Indian companies will be
outweighed by lower efficiency from using relatively expensive domestic data storage, and by the
loss of foreign processing business.

Yet a properly-constituted system of free data flow could have clearly defined safeguards to protect
the privacy and security of personal information. The best solution would be clauses written into
trade agreements — or a standalone treaty — guaranteeing the exchange of information subject to
that condition
However, the recent Cambridge Analytica scandal has proven that free market
mechanisms leave much to be desired in securing data and protecting the privacy
of individuals. When a large, middle-income country rapidly becomes data rich,
there are obvious concerns about the challenges related to the usage, privacy,
and protection of the individual’s data given the greater scope for misuse

It began with the government’s unique identification program providing each

Indian with a way to directly receive government benefits. India Stack was then
launched to enable this identity to authorize access to documents, make
payments, and other digital services. The Digital Locker eliminates physical paper
and fake documents by issuing documents digitally, while the eSign service allows
all Aadhaar holders to digitally sign documents and request digital signatures.
Initiatives such as these have elevated India into the top 100 on the United
Nation’s E-Government Index.

Aadhar is already embroiled in privacy issues, as is India Stack. The latest concerns
involve India Health Stack, the digital backbone to the National Health Protection
Scheme being launched by the government. It intends to combine disease
registries, personal health records, a coverage and claims platform, and a health
analytics platform. However, the open application program interfaces (APIs) used
by Health Stack have raised concerns related to privacy of individual health
records. Individual health data is particularly sensitive in nature and can be
misused for profit, manipulated, or used to discriminate against the data subject.

NEW DATA PROTECTIONS FOR INDIA

The judiciary in India has taken a lead in establishing safeguards for data privacy.
Last year, the Supreme Court of India held the right to privacy to be a fundamental
right. Closely thereafter, in its landmark Puttaswamy judgement the Supreme
Court established the individual’s control over her data. The Ministry of Health &
Family Welfare ratified the draft Digital Information Security in Healthcare Act in
March 2018 to regulate digital health data. Later in April, the Reserve Bank of
India, the country’s central bank, issued a data localization order requiring all
payment system operators to ensure that their data was stored in a system in India.
The past year thus proved to be a watershed for data privacy laws in India.

 Data Localisation: Data localisation requires companies to store and

process data on servers physically located within the national borders
of the country. Though this prevents foreign surveillance, easy access
to data by enforcement agencies, and protection of rights of data
subjects, it puts a huge burden on the industry in the form of heavy
investment for setting up servers in India. Therefore, as suggested by
the White Paper , it would be imperative for the government to take a
 view which carefully balances enforcement benefits of data
localisation with the costs involved pursuant to such requirement.

he wave of data localisation policies suggest that a marked regulatory shift is underway.
National localization is creating tension within trade negotiations such as RCEP, NAFTA,
and TiSA in which countries like the United States, Singapore, Thailand and Japan, along
with tech companies, are seeking to prohibit data localization practices.

Although governments push for data localization to achieve diverse policy goals, there is
an inherent conflict between the logic of most data localization efforts and the policy
objectives that countries pursue by participating in free trade agreements. Resolving
localization demands and reconciling conflicting ideologies and interests may be
difficult to achieve through trade agreements.

Reports suggest that cross-border data flows contributed $2.8 trillion to the global economy in
2014, which is expected to touch $11 trillion by 2025. Data has often been referred to as the new
oil, an economic resource, that is fuelling the fourth industrial revolution.

However, many governments have been inclined towards restricting cross-border data flow and
mandating localisation of certain data. It remains to be seen whether curbs on cross-border data
flows will lead to the anticipated enhancement of data privacy, sovereignty and security, or are
we merely heading towards a Walled Wide Web without meeting these objectives.

Also, the possibility of triggering a vicious cycle of data localisation requirements by other
countries as a response to India’s possible data localisation mandate will be detrimental for the
global data economy.“Information technology, which has been one of the leading drivers of
globalisation, becomes one of its major victims.”

The rationale behind such mandates has been attributed to various factors, such as: securing
citizen’s data, data privacy, data sovereignty, national security, and economic development of
the country. The extensive data collection by technology companies, due to their unfettered
access and control of user data, has allowed them to freely process and monetise Indian users’
data outside the country.

the advent of cloud computing raises important questions on accountability of service providers
who store Indian users’ data outside of the country’s boundaries, leading to a conflict of
jurisdiction in case of any dispute.

Also, minimal or deregulated governance on critical data, due to absence of localisation

requirements, could be detrimental to India’s national security as data would be outside the
purview of existing data protection legislation
The possible rise in prices or unavailability of foreign cloud computing services in case of a data
localisation mandate, and its impact on medium small and micro enterprises (MSMEs) as well as
start-ups relying on these services must also be counted for.

Domestic and foreign businesses engaged in developing data driven new age technologies such as
Internet of Things and Artificial Intelligence may also find it hard to comply with data
localisation requirements

Adequate infrastructure in terms of energy, real estate, and internet connectivity also needs to
be made available for India to become a global hub for data centres. Promoting confidence in
users without sacrificing expectations of privacy, security, and safety must also be worked upon

The innovation boom can be attributed to the freedom that the internet granted by breaking
down global barriers. Data-sharing across continents in the blink of an eye, and storing and
processing data using cloud-based technology proved cost-effective and permitted small-
businesses to compete on an equal footing with big corporations

The European Union recently released its GDPR — General Data Protection Regulation — that
aims to standardise data privacy laws across the EU. The GDPR is an essential update to an older
1990s’ regulation — and addresses how data is collected, stored and processed in the world
today.

The GDPR aims to provide EU citizens with greater rights and transparency over their personal
data. Any organisation that deals with EU citizen data, in any capacity, is covered under the
GDPR — even if the data is stored outside the EU or in a cloud. This takes into account the fact
that in today’s times of multinational corporations and cloud-storage, the location of the data
should be irrelevant to whether it is protected by law

The GDPR adopts a more protectionist policy through the ‘Adequacy Principle’. There has been
widespread debate about how the GDPR affects developing countries in particular since it
stipulates that EU citizen data can only flow to countries that also implement a similar level of
data protection and those the EU deems “adequate”. The European IT market is growing at three
times that of the US’ and there is a large potential for Indian IT to leverage opportunities in those
regions. Since the EU is a large bloc of 500 million customers, countries that do not comply with
GDPR requirements risk affecting their data-sharing and cross-border flow. With data being one
of the most valuable assets traded in this era, how does that affect our free trade agreement with
the EU?

Before the EU GDPR was finalised, a Deloitte study estimated its economic impact on the
European economy: reduction of GDP by €173 billion (1.34 per cent of GDP in EU-27) leading
to a loss of 2.8 million jobs — combined effect from only four sectors: web analytics, direct
marketing, online behavioural advertising and credit information
Both approaches are attempts to achieve data protection However, the US approach continues
to encourage and promote free market growth while making organisations accountable for
privacy violations. It’s not surprising that the world’s most innovative companies have emerged
from the US and not the EU

India will need to be flexible and adapt to greater demands for data processing. Global
requirements for data processing are only bound to increase with the advent of Internet of Things
(IoT). With IoT, large amounts of data will be generated on a regular basis from consumers and
corporations alike.

Real-time processing demands will increase in order to make sense of the data and glean
meaningful business insights. Restricting this growth in India will only increase the risk of losing
business to other developing countries and reduce our competitive advantage. Long-term data
policies will provide a greater advantage to India-based corporations and increase employment of
our working-age population.

revalent concerns around transnational terrorism, cyber crimes and money

laundering that the committee rightly highlights will often involve individuals and
accounts that are not Indian, and therefore will not be stored in India. For
investigations into such crimes, Indian law enforcement will have to continue
relying on cooperative models like the MLAT process.

These measures have unnerved some tech companies who fear it will
increase their infrastructure costs, hit their global fraud detection
analytic platforms and affect planned investments in India at a time
when more and more Indians are going online and using digital
payments
Impact on small business

Micro, small and medium enterprises (MSMEs) contribute 37 per cent of India’s GDP.
This contribution could increase to 48 per cent through increased digitisation and these
businesses benefit from cross-border data flows. Cloud-based computing is cost-
effective for small businesses and consumers, enabling significantly reduced IT costs
while being competitive in the global market against bigger players. Mandating that data
be physically stored in India could drastically increase costs for MSMEs in particular,
hindering the Digital India mission.

Therefore, any policy boosting this industry greatly contributes to our growing GDP and
the opposite could hamper growth rates.

Impact on infrastructure

With more customers preferring digital payments, the volume of data handled by
payment operators is increasing exponentially. Large data centres will have to be
physically located in India. Fundamental requirements for running these data centres are
power, cooling, and sophisticated security measures.

The biggest data centres consume an enormous amount of power — sometimes

equivalent to a city of a million people. To protect data from damage or corruption, data
centres require a large amount of cooling. Global players are migrating their data to
Nordic countries to reduce the power required to cool their centres. Asian data centres
however, require an incredible amount of power to handle their load. Failure to provide
sustained cooling with uninterrupted power supply can result in irreversible data
corruption and damage.

Almost 32 million homes in India have no electricity. A proliferation of local data centres
may negatively impact the initiative of providing electricity to all rural areas, as well as
power consumption in urban centres.

ENVIORENMENT

Data centres consume up to three per cent of all global electricity production and
produce 200 million tonnes of carbon dioxide, according to the National Resources
Defence Council (NRDC). Companies with data as the main commodity have some of
the highest carbon footprints, owing to their data centres. Carbon emissions from
Bangalore’s Tulip data centre are as high as 900 grams per kilowatt-hour, due to the
amount of power required to cool data centres in warmer countries.

warming, weather changes, increased pollution and health risks.

Data centres consume up to three per cent of all global electricity production and
produce 200 million tonnes of carbon dioxide, according to the National Resources
Defence Council (NRDC). Companies with data as the main commodity have some of
the highest carbon footprints, owing to their data centres. Carbon emissions from
Bangalore’s Tulip data centre are as high as 900 grams per kilowatt-hour, due to the
amount of power required to cool data centres in warmer countries.

While India is on track to obtaining 10 per cent of its year-round power from renewable
energy sources by 2019, the power generated will still be too low to sustain large data
centre operations.

Minimising the number of electricity-guzzling data centres in India might be an

environmental advantage for India.

Recommendations

Consumers and businesses would welcome measures to tighten security around

sensitive data. But a high level of data protection can be achieved by incentivising
businesses to implement tighter security measures and protocols.

Sensitive data is often encrypted and legal justification is required prior to obtaining
encryption keys. The physical location alone does not guarantee access to the data.
Storing data in different jurisdictions mitigates the risk of damage due to natural
disasters and ensures business continuity.
India can leverage Mutual Legal Assistance in Trade Matters (MLATs), which enables
data-sharing between countries in the event of fraud or security concerns. There are
data privacy frameworks such as the APEC Privacy Framework and the Global Privacy
Enforcement Network, which permit free trade while providing the necessary structure
for interoperability and cooperation.

The United States recently passed the CLOUD Act, which encourages bilateral
agreements between the US and other countries to efficiently access data when
required by the law, irrespective of where the data is stored.

The policy-heavy European Union’s GDPR (Global Data Privacy Regulation)

attempts to protect their citizens' information beyond the limitations of physical
boundaries. Their jurisdiction extends to any organisation that works with their
citizens’ data, regardless of where it is stored — around the globe or the cloud.

Empowering authorities with greater bilateral understanding between countries

will help prevent fraud while securing India’s position as a top player in global
markets.

In India’s case, the moves have been egged on by domestic companies, including data centre and
digital payments groups, trying to keep out foreign competition. This is short-sighted. India has
benefited mightily from its IT industry engaging with the world economy. A boost for a few Indian
companies will be outweighed by lower efficiency from using relatively expensive domestic data
storage, and by the loss of foreign processing business. The measures are a further move towards
breaking up the world into a series of data regimes, a phenomenon sometimes named the
“splinternet”. This could seriously retard the growth of data-enabled innovation beyond simply the
delivery of online services.

Yet a properly-constituted system of free data flow could have clearly defined safeguards to protect
the privacy and security of personal information. The best solution would be clauses written into
trade agreements — or a standalone treaty — guaranteeing the exchange of information subject to
that condition

Meanwhile, the recently-released draft e-commerce policy recommendations propose

data localisation but in broader strokes than those enunciated by the banking regulator
or what is proposed by the Srikrishna panel. The draft policy suggests storing data of
Indians, collected by social media firms, only in the country

This mixing of vicarious nationalism and policymaking took me back to a certain

episode in 1977, of which I only have indirect recollection. What happened that
year? A new government, led by former Congressman Morarji Desai, took charge
and embraced an insular and inward-looking economic policy that was
vehemently anti-west. As a result, in 1978, 50 multinational companies (mostly
American and some British, since Asian companies were too poor to invest in
India at that time) applied to leave India. The non-tariff barrier raised this time was
the instrument of FERA (Foreign Exchange Regulation Act).
The story of one of these companies that left India at that time is educative. Yes, I
cite the famous case of Coca Cola leaving India. Coca Cola left India and we had
the historical rise of Thums Up, an Indian brand. Coca Cola came back to India 15
years later, in 1993, and bought Thums Up, giving an Indian-owned company a
very good exit. It was a global monopoly buying a local monopoly. What did India
gain out of it? Or what did Indians gain out of it? Between 1978 and 1993, Indians
continued to suffer aerated drinks. In fact, these drinks reached new markets in
rural areas in those years and made Thums Up a coveted brand for Coca Cola to
buy. India probably lost just as much groundwater, and gained just as much
employment.

Erecting a non-tariff barrier to benefit Indian companies by creating local monopolies

rather than expanding competitiveness and competition; little or no concern for the
country or its consumers; policies made without evidence or awareness of full facts of
the case, and so on. Therefore, one can also guess with some amount of certainty the
outcome of such policy.

Thus, after this policy has been successfully implemented, we would end up creating
some local monopolies that would function exactly like foreign monopolies with little
concern for Indian consumers and India

These regulations are alarming for economic and political reasons. One, it
increases cost for companies, especially MNCs. Second, data localisation
restrictions can negatively impact GDP of countries mandating it. Third,
such policies often reflect an authoritarian regime and are seen as a tool
to enable local surveillance. Fourth, they also increase the cyber
vulnerability and restrict access of SMEs to global services.

Europe’s new data protection regime does not introduce localisation

requirements but instead puts limits on cross-border data flows to
countries that don’t have data protection laws.

n addition, proponents highlight security against foreign attacks and surveillance, which
opponents consider a weak argument in cases of data mirroring. Concerns also rose
when Facebook declared that its Cambridge Analytica controversy had affected Indian users
as well.
Along with fervent government support, most domestic-born technology companies (which
tend to have heavy foreign investments) support data localisation, and most of them store
their data exclusively in India. PayTM (backed by Alibaba and Softbank) has consistently
supported localisation (without mirroring). Reliance Jio, in a response to TRAI, has strongly
argued that data regulation for privacy and security will have little teeth without localisation,
citing models in China and Russia.

Many are concerned about a fractured Internet (or a “splinternet”), where the domino effect
of protectionist policy will lead to other countries following suit. Much of this sentiment
harkens to the values of a globalised, competitive internet marketplace, where costs and
speeds, rather than nationalistic borders, determine information flows.
Opponents say that this, in turn, may backfire on India’s own young start-ups that are
attempting global growth, or on larger firms that process foreign data in India, such as Tata
Consulting Services and Wipro.
Critics not only caution against state misuse and surveillance of personal data, but also argue
that security and government access is not achieved by localisation. Even if the data is stored
in the country, the encryption keys may still remain out of the reach of national agencies