Mandatory data localisation may seem attractive based on notions of sovereignty, but it only makes the personal data more vulnerable in the process
By Kritika Bhardwaj
This post first appeared in Hindustan Times on August 3, 2018
On July 27, the committee of experts under the chairmanship of Justice Srikrishna finally submitted its report on the principles that will guide the framing of India’s data protection statute. With its report, the committee also submitted a draft Personal Data Protection Bill, which, it is hoped, will guide further consultation on the subject. Given that India remains a notable exception to the now long list of countries with data protection laws, this draft Bill is a welcome step. Regretfully, however, some of the committee’s proposals not only risk weakening privacy rights guaranteed under the Constitution, but also undermine the committee’s own stated objective of a free and fair digital economy.
One such recommendation is the requirement to mandatorily store a copy of all personal data on servers located in India, subject to the Central government’s power to exempt such storage if necessary or in the strategic interests of the State. However, for sensitive personal data, which includes information about religious or political beliefs as well as health and financial information, the government has no power to exempt recipients of personal data (data fiduciaries under the Bill) from this obligation. A further category of “critical personal data” — a term that is undefined under the Bill — must be stored exclusively in India. The requirement to store data locally needs reconsideration not only because it militates against the idea of a global Internet, but also because it fails to adequately consider surveillance harms, issues of data security as well as their detrimental effects on industry.
Usually, the rationale behind restricting cross-border flow of data is to prevent entities from circumventing their obligations under national laws for data protection, or to protect personal data from processing risks abroad. Viewed in this context, the requirement to retain only a copy of all personal data in India is curious as it fails to achieve either of the two objectives mentioned above. Instead, most countries across the globe attempt to achieve these objectives by making cross-border transfer of data contingent on additional safeguards — a proposal that has also been incorporated in this Bill.
As lawyer Chinmayi Arun has pointed out, this mandate appears to be geared more towards the State having access to personal data rather than a desire to protect it. The committee’s report suggests that such access is necessary for law enforcement agencies to be able to enforce domestic laws. Investigation and prosecution of offences is undeniably a legitimate state interest. However, advocating for increased access to personal data through mandatory localisation without adequately considering surveillance risks is unhelpful. While it is arguable that surveillance reform was outside the committee’s terms of reference, it nevertheless ought to have taken note of the lack of effective checks under the extant legal regime before recommending data localisation. Among other limitations, the current legal framework allows communications to be intercepted without any judicial oversight.
In its report, the committee accurately notes that gaining access to data stored abroad through Mutual Legal Assistance Treaties (MLAT) — an agreement between states for exchange of information — has become a tedious process. However, it does not note that the failure of MLATs is a global concern and several states are already exploring alternatives.
Besides surveillance-related harms, data localisation also imperils the security of the data itself. As Anupam Chander and Uyên Lê suggest, forcing data fiduciaries to store data locally deprives them of the option of distributing information across servers in multiple locations, making it more vulnerable to cyber threats. This mandate also reduces the choice available with data fiduciaries by forcing them to opt for local but less secure data centres. In a 2016 survey, India was ranked 36th out of the 37 countries surveyed for risks associated with operating data centres.
Further, the committee’s view that localising data will aid the creation of a digital industry for emerging technologies is equally misplaced. Experts have argued that data localisation has an adverse impact on businesses, as it escalates their infrastructure and energy costs. This requirement may be especially onerous for small and medium sized businesses. The committee’s report considers and summarily dismisses this concern on the presumption that options for storing data locally will increase pursuant to its recommendations — without any thought to the viability or robustness of these options.
The requirement for mandatory data localisation may seem attractive based on notions of sovereignty, but it achieves little except damaging the character of the global Internet, making personal data more vulnerable in the process. Such a proposal is regressive and it is hoped a process of public consultation provides opportunity to deliberate it further.
Kritika Bhardwaj, a lawyer, assisted the petitioner’s counsel in the right to privacy case. She is also a Fellow at the Centre for Communication Governance at National Law University Delhi