As India builds its data protection regime and contemplates the vast range of issues involved, one issue has emerged in the spotlight: data localization. It’s all the rage. The Ministry of Electronics and Information Technology (MeitY) wants it. The Reserve Bank of India (RBI) wants it. The Ministry of Commerce wants it.
It’s not clear, however, whether India needs it.
Here’s what is clear: data localization – measures designed to keep data in India – could dramatically chill investment and innovation in India’s currently vibrant digital economy. But policymakers do not fully grapple with this risk – not even in, for example, MeitY’s recent 300-page draft data protection bill and report (on which MeitY collected comments October 10), let alone in the RBI’s 1-page circular with an October 15 enforcement date.
Policymakers have not grappled with the substantial costs of reorganizing and relocating data and operating new data centers, which could discourage if not bar investment, especially from small and medium enterprises (SMEs). MeitY’s documents, for example, claim that nobody has presented conclusive evidence regarding these costs. But the burden of proof must rest with the policymaker. And ironically, the documents disregard these costs based on a “considered view,” rather than on evidence.
Further, data localization could significantly reduce the quality of the services Indian consumers receive by depriving companies of the scale and efficiencies of global networks and restricting the volume of data from which companies can extract insights to improve their services. Nowhere has this risk been properly acknowledged, let alone addressed.
To keep India’s internet and technology space vibrant, and relatedly set an example for regulators around the world grappling with these matters, India should approach localization bearing in mind the following three key principles.
Explore Effective Alternatives.
Localization is not security. The security of data depends less on its location and more on the legal and technological safeguards around it. This has two related implications that policymakers should carefully consider.
First, data stored outside India can be as safe if not safer than in India, if the regions in which the data is stored have robust data protection requirements and technologies. This weighs against localization, as multiple regions are developing strong data protection regimes, and global cloud providers (who operate across borders) are more likely than smaller local players to provide advanced privacy-enhancing technologies.
Second, policymakers should focus on developing sophisticated legal and technological requirements for data protection and articulating them clearly, rather than relying upon localization as a policy remedy for security.
In addition to enhancing data security generally, policymakers seek localization to enhance law enforcement. This objective, however, can be accomplished through mutual legal assistance treaties (MLATs). Recognizing that the negotiation of an MLAT process can sometimes be time-consuming, there are other alternatives. For example, the United States recently enacted the CLOUD Act, which allows the U.S. government to work with other governments so that foreign law enforcement agencies can request data directly from U.S. companies.
Tailor Provisions Narrowly.
Given localization’s significant harms and multiple alternatives, to the extent policymakers decide to impose localization provisions, these should apply only to the categories of data for which they are deemed absolutely necessary for national security. Relatedly, these categories should be defined with precision, and in consultation with stakeholders, to mitigate the risk of overinclusion or ambiguity.
In contrast, MeitY’s bill’s current approach is overly broad. For example, it asks the government to identify categories of “critical” data – which must be stored exclusively in India – on the broadly defined grounds of “necessity or strategic interests of the State.” Similarly, when the bill defines “sensitive personal data” (i.e., data requiring a variety of heightened protections, including in relation to localization), it casts too wide a net. For instance, it deems a wide range of low-risk financial data “sensitive.” This also sets a risky precedent for what data the government can identify as “critical.”
Foster Innovation and Competition on the Merits.
India seeks and is positioned well to take advantage of a burgeoning artificial intelligence (AI) ecosystem, which will fuel innovation and will undoubtedly be built on data. However, the net effect of localization provisions may be – counterintuitively – to reduce the amount of data in India by discouraging investment and innovation, undermining the government’s AI ambitions.
In addition, localization can advantage Indian companies over international ones. This manifestly skewed playing field could erode a defining pillar of a healthy economy: competition on the merits. Such competition maximizes consumer benefit and must therefore be any policymaker’s goal. It has fueled India’s thriving – and globally recognized – internet and technology space, which sees countless highly innovative companies (Indian and international) competing to provide Indian consumers the best services. Smoother cross-border data flow will help preserve competition on the merits and its profound benefits.
Following these principles, India has an opportunity to maintain and grow a flourishing internet and digital economy. Indeed, India will set an example for the world as various jurisdictions grapple with how to deal with the management, security, and flow of data. Let’s hope it is an example for others to follow.
Manpreet Singh Anand is Senior Vice President at Albright Stonebridge Group, where he leads the South Asia practice.
Nikhil Sud is a Regulatory Affairs Specialist with ASG’s South Asia practice.