As expected, an outcome of Cambridge Analytica’s usage of Facebook data to potentially influence elections is that the government of India, including PM Narendra Modi, has instructed that data sharing should be regulated and servers located in India, reports Times of India. This comes on the back of the RBI mandating that payments processing data be stored in India.

Frankly, keeping servers in India is a direct outcome of the Cambridge Analytica issue, just as a draconian IT Act was an outcome of the terrorist attacks on Mumbai: we tend to lean towards a highly conservative approach, which can have a negative impact on freedom and the freedom to do business.

Forcing servers to be hosted in India has been a long standing demand of the then BJP IT Cell co-Convener Vinit Goenka. Back in 2014, days after the BJP government came into power, Goenka had written about this issue, highlighting issues with potential misuse of data of Indian users being hosted beyond Indian, but really offering no reason for how data being hosted in India will prevent such misuse. A similar rhetoric appears to be emerging from the government, saying that the access to these servers is “highly regulated by US laws and certain international treaties”.

MediaNama’s Take

1. The idea of having servers in India is more about government need for accessing data, than user privacy: The Indian government is just being opportunistic here: it has been struggling to get data on citizens from companies like Google and Facebook, and US laws regarding demands for data are more stringent. The MLATs process is cumbersome and time-consuming, and while this is an important and legitimate concern when it comes to terrorist activities, there’s little in Indian law that prevents unrestricted government access to data even when it’s not needed for a legitimate law enforcement purpose. Indian law doesn’t define the phrase “national security”, or an approach to access data in a manner that protects user rights.

2. Privacy protection will not be provided by hosting servers in India, but by a law that is applicable to Indian users. Users are protected better by laws that are stringent and protect privacy, restricting data collection, sharing processing, and have adequate penalties for privacy violation. As Mahesh Uppal had said in the Data Protection consultation, just because data is hosted in India, does it make that more secure? Just because it is hosted outside of India, does it become less secure?

My take:

A weak data protection law in India will mean that data of Indian users stored within India will have weaker protection than data stored in the EU under the EU GDPR.

3. Servers in India are not necessary for the applicability of Indian law: An Indian law can include a clause that only allows collection of data of Indian users if the companies agree to the applicability of Indian law.

4. India needs to incentivize hosting on Indian servers, not force: The added advantage of this is, apart from encouraging Indian data center businesses, is that it will help reduce bandwidth costs for ISPs, and keep India to India data within India, instead of having to route it halfway across the world and back. What is still needed, though, is allowing datacenters to interconnect with India’s Internet Exchange NIXI, wherein, only ISPs can connect directly. Tax incentives for datacenters will also help.

5. Not in line with India’s position that it is a globalised Internet: NASSCOM’s Prasanto Roy at our data protection discussion last year, had said that “India’s consistent position is that it is a globalised internet, and [to] not go along with the balkanisation of the Internet. The demands for localisation are aimed at increasing trade barriers. They may have been triggered by defence and security – China brings that up – but usually it is trade barriers. We (India) service the worlds data. The worlds financial services data is processed in India: 45% of our $150 billion IT services and BPM industry is financial services. That is huge. There there are some laws which apply directly. In the EU, the rules apply as long as where the data is processed. Even if India has had a loose regulatory regime, the agreements between the customer and the service provider are so strong that no service provider would risk a data infraction and a leak. That’s been the foundation of our services industry.”

6. Negative impact on efficiency for Indian businesses: During our data protection event last year, Avinash Ramachandran, Director of Public Policy for Amazon India had said that “If you look at many of the startups in India, about 80% of them were actually born in AWS. Many of [Amazon’s ecommerce marketplace] competitors were born in AWS. At that time we did not have a region in India, which meant that they were located in some geography in the world. Now we have a region here. The bigger question is, one of the features that AWS gives is: if you’ve developed a particular service for yourself, it can convert itself for all of AWS’s clients in the enterprise space. Look at it this way: if that service existed somewhere in some datacenter abroad, it could get easily replicated across the globe. You can increase the number of customers you can have as a startup, which may or may not be possible if you were restricted in having it only in a location here. You’re essentially cutting off a lifeline or a channel or and a conduit that could help the startup, rather than allowing it to proliferate, and get more people to understand and see how it works.”

7. The TRAI had recommended amendments of MLATs to include lawful interception:
From our previous report on the TRAI recommendations on cloud computing:

  • Mutual Legal Assistance Treaties: To allow lawful access or interception of information on cloud services outside India, the government of India could enter into Mutual Legal Assistance Treaties (MLATs) with foreign countries, the TRAI said. MLATs can be used for obtaining evidence for criminal investigation in India, but at times, data required might be stored in a cloud server outside the country.
  • Existing MLATs to be amended with provision for lawful interception: Existing MLATs between India and other countries “should be amended to include provisions for lawful interception or access to data on the cloud” TRAI said. India should consider negotiating new MLATs with countries where cloud data is usually hosted, TRAI added.