General

Data Localization And Cross-Border Data Transfers

________________________________________________________________________________

This Blog is written by Kaviya Kannan from Kasturba Gandhi Degree College, Osmania University. Edited by Uroosa Naireen.

________________________________________________________________________________

INTRODUCTION

Data localisation is considered a relatively new concept in India. Data localisation is the process of localising the citizen’s data to one’s home country for its processing, storage, and collection before it goes through the process of being transferred to an international level. [1] Data localisation is done with the motive of subjecting it to one’s local data protection and privacy laws. It bases itself on the concept of full-fledged data sovereignty. Various legislations as well as legislators are debating on this topic and India is gradually progressing towards localising the data.

Data and technology will play a pivotal role in India going forward. Data combined with the digital economy are inextricable aspects of the nation’s economic growth and development. The space-time compression offered by emails and phone calls speeds up and facilitates decision-making. This ensures well-informed growth at unprecedented levels and speeds. At the nub of the digital economic growth, lies the global data flows. Companies and governments around the world have used data to advance their progress. Cross-border data flows have fuelled progress on an exceptional scale. A key characteristic of this phenomenon is the defiance of physical borders in how they operate. There is a case to be made that the current benefits of cross-border data flow that fuel today’s progress is just the beginning. The prospects of what these data flows can accomplish in the future are boundless. For instance, consider if an airline wished to open a new route from Hyderabad to Vadodara; it would check the number of passengers commuting through the route through the train and the price they are willing to pay. It would require huge datasets from the Indian Railways and also from the bus service providers to justify whether or not servicing the new route would be a good idea. The datasets in this scenario is known as ‘Big Data’, and the practice of deriving insights from it is called ‘Big Data Analytics’. Insights like the one above proves that big data has the potential to drive innovation, growth, and economic competitiveness. It would lead to smart allocation of resources and also, more relevant advertisements and marketing strategies. This is a segment that is projected to grow substantially shortly. Forbes recently reported that 2.5 bytes were being produced every day. [2] Information from big data analytics not only help businesses expand, but they also guide decisions in daily life. Data generated and transferred across borders has proven to simplify daily life exponentially. For example, collecting and analyzing locations through phones allows Google Maps to help determine the best path from point A to point B. Insights developed can help users check for traffic congestion before traveling and also reduces the amount of traveling time after considering the dynamic situation on the ground in real-time.

SIGNIFICANCE

Recently, a growing number of emerging economies have adopted data localisation as part of their efforts to maintain cross-border data transfers. This is being done in countries like China, India, Nigeria, Russia, Rwanda, and Vietnam. Localisation of data system involves two main types of requirements: [3]

• Data storage requirements stipulate that certain sets of data – typically government data and personal data of national citizens – are hosted in data centers located in their country.

• Data processing requirements demand that specific activities concerning data entry, manipulation, processing and management should take place domestically.

Data localisation has been steadily gaining significance over recent years. There are certain arguments that are in favor of localising the data. [4] They include;

• Need to recognize Indian data as a resource that can be used for national economic and social interest as well as to enable enforcement of state functions and Indian law.

• The economic benefits will strengthen the local industry by creating better local infrastructure, employment, and contributions to the AI ecosystem.

• Regarding the protection of civil liberties, local hosting of data will ensure the privacy and security by the Indian law which also enables users to access local remedies^.[5]

DATA LOCALISATION AND THE IMPACT

When it comes to data security, investment in infrastructure and maintenance is more critical than the physical location of data. For example, one of the greatest advantages of storing data in the cloud is data sharing – the fact that information is typically sliced up and distributed among multiple systems rather than kept on a single system or set of systems. [6] Essentially, extra costs of data localisation might lead to lower investments in the case of security aspects. Restricting cross-border data flows can also lead to cases such as money laundering and terrorist financing. For instance, when the reporting ability of mobile money providers is compromised by regulations that restrict cross-border data sharing, this can increase the risk of a criminal who is rejected in one country; can open a mobile money account in another country and is able to make transactions. In addition, the positive impact of data localisation on job creation might be reversed as companies may decide to exit a particular market as a result of the inability to provide services effectively and increased costs.

DATA PROTECTION BILL, 2018 AND OTHER PROVISIONS

The framework for the protection of personal data in India is contained within The Personal Data Protection Bill, 2018 as well as the Data Protection Committee’s Report which was released on July 27^th, 2018. Another draft legislation called the Digital Information Security in Healthcare Act was also published by the Ministry of Health and Welfare. All these combined could be termed as the Data Protection Framework. These legislative measures showcase the government’s desire to protect national privacy as well as provide security. Earlier, such steps were taken by the government which was reflected in the Companies Act, 2013. These were the required copies of the maintenance of books of accounts in an electronic form, which were to be kept in servers that were physically located only in India.

Data Localisation as a Mandate

Recently, the Reserve Bank of India (RBI) issued a mandate on 9^th April, 2018, which required all fin-tech companies, 3rd party vendors, all payment system providers, and their intermediaries, service providers to localise their data which includes ‘payment instruction’, ‘full end-to-end transaction details’ as well as other information to be processed, carried, collected which is covered under the ambit of what is to be stored and that their data must be stored only in India. These records are required to be maintained and thereafter audited annually and produced before the RBI. [7]

Proposed Amendments to the Drugs & Cosmetic Rules, 1945

The recently proposed amendment which is aimed at the regulation for e-pharmacies provides for that for e-pharmacies to conduct business in India, web-portals have to be established in the country and data has to be stored within the country. The draft states that the data generated or mirrored, shall in no way, and under no means, be sent or stored outside India. [8]

ANALYSIS

One of the oldest debates in politics, freedom Vs security, is more relevant today in the debate between government surveillance Vs an individual’s privacy. Since the 1990s, a growing number of countries have adopted data protection and privacy laws or regulations. An important issue among these differences is, how to approach the problem of data collection. How much data should be collected by governments and private companies? Which legal and ethical restrictions should be imposed in order to prevent data collection and processing abuses? Moreover, who does data belong to? Governments and companies, who store personal data can be accessed, processed, and stored unknowingly by government surveillance agencies. While the digital age has brought more freedom and liberty for individuals around the world, it has also provided governments with better tools to respond efficiently to the growing scope of electronic independence. The emergence of multiple data collection bodies and institutions and their overlapping and sometimes competing for data storage policies bring in the question of what happens if personal data is lost, damaged, or misused? Although countries approach this question individually, this is considered as their sovereign right. With the aim of institutionalizing the data protection regime, India should consider formulating more effective policies that safeguard citizens from the misuse and abuse of personal data.

CONCLUSION

The data localisation laws are primarily concerned with the interests of a nation to secure its citizen’s information as well as to monitor their activities. The laws on data localisation can be enforced on various types of data such as health records, payment transactions, service operators, etc., to safeguard the privacy of the citizen. These restrictions in free data flow globally may impact issues like free global market, international trade policies, business deals, and global interaction. Countries like India, South Korea, Australia, and Brazil are moving steadily towards data localisation policies to a certain extent. Russia is strictly implementing the data law and many MNCs need to cross this hurdle to establishing their markets in Russia. LinkedIn is blocked in Russia as it couldn’t meet the policies of the Russian data law. As data security is playing a vital role to win credibility and trustworthiness, every nation is moving towards information security in the global technology race.