Note: #NAMAprivacy Bangalore is next week. Apply to attend here.

Speaking at #NAMAprivacy Delhi, Murari Sridharan, CTO of BankBazaar, who was a part of the team that set up Microsoft’s Cortana (AI) and Azure (cloud hosting), said that while building both of those, they had the following guiding principles: “One we assumed that nothing is secure indefinitely. Second we assumed that nothing is anonymous. Third is that you have to trust but verify, and rinse and repeat all the time. You have to worry about data at rest, in flight and threat models where the host itself is compromised.”

Impact of data localization on the digital economy

Sumandro Chattapadhyay, Research Director at the Centre for Internet and Society said that we’re moving towards regional digital economies, and taking steps towards digital free trade zones “ The first one, in Malaysia: Alibaba has set up the first ‘beyond China’ physical establishment to run their logistical operations.” “If you’ve been following Jack Ma’s suggestions to the G20 in the last edition, what he is taking about is an electronic world trade platform. Think of a million times the size of Paytm.” He said that questions of regulation of storage, reuse, sharing, national and international flow, government access, foreign governments access to user data etc are appearing because the Internet as a platform for business, finance, inclusion etc is booming and it’s important to think of the complex regulatory landscape keeping in mind the reality of the digital economy: that it is being regulated, but cannot be killed.

Avinash Ramachandra, Director of Public Policy at Amazon India, concurred, saying that at a time when investments, economic activity and jobs are of prime importance, ”any move to veer the discussion away to anything else prematurely is going to impact across the board. While we have projections of what the potential is because of cross border data flows, Mckinsey did a study where it said that $2.8 trillion in the next few years, and over $11 trillion by 2025, is the total value of the economy that depends on cross border data flows.” He pointed towards the impact it will have on the IT industry if cross border data flows were curbed.

Responding a question on the potential impact on startups, he said that “If you look at many of the startups in India, about 80% of them were actually born in AWS. Many of [Amazon’s ecommerce marketplace] competitors were born in AWS. At that time we did not have a region in India, which meant that they were located in some geography in the world. Now we have a region here. The bigger question is, one of the features that AWS gives is: if you’ve developed a particular service for yourself, it can convert itself for all of AWS’s clients in the enterprise space. Look at it this way: if that service existed somewhere in some datacenter abroad, it could get easily replicated across the globe. You can increase the number of customers you can have as a startup, which may or may not be possible if you were restricted in having it only in a location here. You’re essentially cutting off a lifeline or a channel or and a conduit that could help the startup, rather than allowing it to proliferate, and get more people to understand and see how it works.”

NASSCOM’s Prasanto Roy said that “India’s consistent position is that it is a globalised internet, and [to] not go along with the balkanisation of the Internet. The demands for localisation are aimed at increasing trade barriers. They may have been triggered by defence and security – China brings that up – but usually it is trade barriers. We (India) service the worlds data. The worlds financial services data is processed in India: 45% of our $150 billion IT services and BPM industry is financial services. That is huge. There there are some laws which apply directly. In the EU, the rules apply as long as where the data is processed. Even if India has had a loose regulatory regime, the agreements between the customer and the service provider are so strong that no service provider would risk a data infraction and a leak. That’s been the foundation of our services industry.”

Data sovereignty and colonisation

Sridharan pointed out that with the cloud, when it came to Azure, you have to virtualize “compute, storage and network. You have to have this aspect, that any service can run any server in any datacenter”. “This whole notion of where the data resides shouldn’t even come into play. But when you’re designing a platform for a multi-tenant data centre, you have to be extremely cautious that data doesn’t flow back and forth between tenants.”

But governments can still demand access to data, saying that, or prevent transfer of data between jurisdictions. “We had to think about it from that Point of view. If you have to sell to enterprises in the EU you have to conform to all of those laws. As a technologist, we prefer to solve the general problem and then add if you want to tag this data so that it doesn’t leave this cross border jurisdiction, we can handle all of those”, he added. “You define the constraint boundaries, and within this you can travel. My job [as a technologist] is to make sure that that ability exists, so that depending on what regulation wants you can do the appropriate thing. Initially, you assume that there are no constraints, and as and when you get a regulation, we’ll get told that this data cannot move anywhere else, it’s in the design that we’ve incorporated for such a constraint to come in, and you can handle the placement of that data.”

Sumandro, responding to a question from Asia Times’ Saikat Datta, who moderated the session, said that whether the idea of data colonization emboldens some governments to say that data should be within territorial boundaries because it needs regulation etc, said that it is truly a concern because “especially from a digital and citizens rights perspective, there is a fundamental question of whether the citizens’ being begins with the state or the citizen precedes the state. Similarly one can ask whether the user data precedes the citizen or the citizen precedes the user data. The fact the company has allowed me to conduct certain activity online, means that any processed data or metadata produced by that activity, is there an agreement that any data produced during the activity is the company’s property and so on. Digital colonialism is at the center of these discussions.”

He added that “One part of the data localisation debate” he said, is “about citizens wanting their own state to prevent [their] data from being used by other governments. The fact their own data is hosted in another country may possibly allow the government there to access it. The demand for data localisation from a government from that perspective becomes a demand to protect the rights of its own citizens. It is true that if we think of it from a consumers perspective, but one perspective will not solve the problem.”

Suhaan Mukherjee of PLR Chambers said that we “have to look at how models have worked when you attach sovereignty to data. Canada wanted to promote datacenters in its jurisdiction, and when asked for data that comes in from overseas, asks its own law enforcement agencies to show nexus [before giving access to data]. So from an operational perspective, they create mechanisms on what to do. Estonia has opened its data embassy in Luxembourg. It’s [held] somewhere else, but you’ve legal mechanisms to create and protect that sovereignty. We need to look at that [virtual] as distinct from physical and for everyone to recognise it as well.”

*

The #NAMAprivacy conference was supported by Google, Facebook and Microsoft. To support/sponsor #NAMAprivacy discussions, contact harneet@medianama.com