This is first in our series covering our events in Delhi and Bengaluru on India’s Data Protection Law. Click here to read the rest.

“What mirroring does is increase the number of attack surfaces for any system,” Vinayak Hegde, CTO of Zoomcar said at the #NAMAprivacy discussion on the data protection bill in Bangalore last week. “An attack surface”, he explained, “is the amount of places where you can attack a system so that it can be breached. Earlier you could attack a server in the US and get that data. Now with localisation and mirroring forced on you, you have another system that is much more poorly secured depending on what operator you have. That also has national security considerations which nobody is talking about.”

Data localisation is possibly one of the most contentious parts of the Srikrishna committee’s data protection bill. Software lobbies and companies have come out in protest against this requirement, since it would significantly drive up costs. It is, however, a requirement that the government seems intent on implementing — even the national e-commerce policy and the unreleased national cloud policy of the government endorse the idea. Why does the government want localisation — that is, requiring at least one copy of all Indians’ personal data to be stored in India? Will doing so achieve the aims the government likely has in mind, i.e. law enforcement access to data, control for users, and job creation?

The following key points were made on Data Localisation at the #NAMAprivacy discussion in Delhi and Bengaluru:

Localisation elsewhere

  • From EU to China: In EU, the GDPR doesn’t have a hard localisation mandate — it merely says that cross-border data transfer can only happen if the other country has adequate safeguards for data. China, Russia and Vietnam have toyed with localisation. We’re trying to move to a world with free flow of data cross-border while protecting privacy. Stickiest issue is law enforcement access to data. (Nehaa Chaudhari, Public Policy Lead, TRA Law)
  • Alongside China and Russia: India now stands alongside China and Russia as far as localisation is concerned. This law mandates all types of personal data to be stored locally. (Venkatesh Krishnamoorthy, Country Manager for India, BSA: The Software Alliance)
  • Another approach for law enforcement access: In the US, the CLOUD Act allows tech companies to immediately share data with foreign governments and vice versa under executive agreement with the US president. We need this kind of procedural clarity. The bill doesn’t do this. If you are serious about sovereignty, this macho idea of let’s store in India and worry about the rest later is not going to work. (Nayantara Ranganathan, Internet Democracy Project)
  • No precedent for India’s localisation push: The localisation provision in the bill is completely unprecedented outside of certain specific regimes like China and Russia, which have a completely different political and civil rights outlook. If you look at countries comparable with India, there is nobody asking for all personal data to be stored locally. (Vinay Kesari, Independent Lawyer)
  • Why tech companies respect privacy more in the west: In the US, companies push back on government requests out of fear of backlash from users as well as their own employees. Look at how Amazon and Google employees revolted against the companies’ use of AI and facial recognition technology in the military and law enforcement. Do you think Indian offices and users would revolt like this? That’s why India-based businesses don’t push back. (Vinayak Hegde)

Security and cost of compliance

  • Localisation vs Cross-border data transfer: Having one serving copy of personal data within the country is an area of concern. Two aspects: one is data localisation, and other is permitting cross-border data flows. We are concerned about the localisation mandate. (Krishnamoorthy)
  • All eggs in one basket bad for security: One large concern is security. It makes little sense to have all data stored in one country with one service provider. Ideally companies use redundant datasets all over the world. We are creating a honeypot situation here. (Krishnamoorthy)
  • Costs will go up: Cloud services are able to provide cheap services with credits to users in India because they’re able to harness the power of global digital data flows. It’s the customers’ choice to choose where to store their data. (Krishnamoorthy)
  • On new apps who have to comply with regulations: it’s very possible that new services by companies won’t be available in India immediately. What’s picking up now is microservices — they are so niche that they appeal to a global audience as soon as they’re launched. Indians make these as well. So a legislation like this, how would it impact such services? It’s unclear.
  • Companies may reduce security to comply: Aside from taking a beating on costs, businesses might opt for sub-optimal solutions to be compliant with regulations. That doesn’t give good value to the company or to the consumer. Forget about being locked out of innovation, we might actually go back in time. As costs go up, the consumers will bear it. Localisation comes with costs for businesses. For small businesses, it comes at a considerable cost. (a member of the audience)
  • Redundancy may not happen: Many of the conversations on mirroring assume that there will be one copy residing outside India too. That may not happen if costs don’t align — security through redundancy is also possible by having two datacenters in the same country. (a member of the audience)
  • Privacy vs access: We need to separate privacy from access. Localisation does not improve privacy. The internet is globalised and breaches can happen from anywhere. Mirroring only increases that possibility. (Vibhakar Bhushan, CCICI)
  • Technical localisation challenge: Assumption being made is that datasets and architecture of large applications is simple, and already partitioned by country and so on. That’s not necessarily the case. Application architectures and how data is extremely complex and localisation may require full re-architecture of the data. (Vikas Mathur, CCICI)
  • Holding a ‘serving copy’ could make compliance much harder: “The language of section 40 talks about a ‘serving copy’ [of data being mirrored in the country]. Do we know what that means? Because I think, if companies are required to keep a ledger of their data locally on a mirror, that’s more acceptable than if, for instance, Google Maps has to keep live data mirrored of every trip that is being undertaken. I believe no map company in the world will ever be able to function if they have to have individual map mirrors of live-streaming data of every trip in the country. There’s a huge feasibility gap which hangs on the definition of ‘serving copy’. If it’s a live mirror of something like map information, I believe that’s technically infeasible to do.” (Rahul Matthan, Partner, Trilegal)

Localisation in India and the law

“Left to themselves, any government would rather arm-twist behind the scenes and come to a non-transparent agreement that works in their favour, rather than do something that is based on the rule of law. It’s our duty to nudge our government in the direction of something that’s more transparent and sustainable.” (Kesari)

  • Localisation isn’t new in India: The idea of localisation has repeatedly come up across different government policies. The bill prescribes localisation as well as conditions for cross-border transfer of data. TRAI already has data localisation mandates for telcos, and RBI has mandated it too. The idea isn’t new. (Chaudhari)
  • Conflict with Puttaswamy and Constitution: I don’t think this approach is best for Indians. We do need to think about the interests of the country, but localisation is an objective-solution mismatch. Any action government takes has to be seen from the perspective of the Puttaswamy judgement [where privacy was declared a fundamental right]. That decision places contours on what government can or cannot do. Any state action must be backed by law. Any action must also be necessary and proportionate, and absolute data localisation as described in the bill is potentially unconstitutional. (Chaudhari)
  • International obligations: We are sovereign, but part of a global interconnected world, and have obligations under international bodies like WTO. In WTO, cross-border data flows come under GATS, under which member nations are allowed to frame certain restrictions on free flow for data, but these restrictions can’t impact trade, and can’t be excessive. (Chaudhari)
  • Missed shot if sovereignty was the goal: This bill is a missed opportunity for data sovereignty. In terms of enforcement, making sure that data is within the country does not ensure that states have access to data. It also doesn’t cover transnational use-cases where person involved may not be an Indian citizen. (Ranganathan)
  • Protectionist policy: There’s a stream of protectionism running through the government’s different policies advocating localisation. This makes it clear that it’s not just about law enforcement access to data, but also about the economy. (Ranganathan)
  • Is localisation policy actually leverage? Localisation is possibly a tool of leverage for the Indian government in international trade negotiations. It’s a card that can be played. It could also force foreign businesses to start paying Indian taxes. (Ranganathan)
  • Motive for localisation is not privacy: The push for localisation has nothing to do with privacy. There’s apprehensions that global social media companies may influence the minds of people in India. That could be a long-term goal for any country to make sure that minds are not influenced by foreign companies. Since this law is about citizens, we should speak as citizens. Pre-1992, we only had two car brands. Those companies were far more profitable than they are today. Do we want to go back to that era for the digital industry? It’s a political and economic matter. (Srinivas, Privacy Expert)
  • Localisation proposal was inevitable: The Supreme Court’s judgement gave the responsibility of safeguarding personal data to the government, and therefore it was inevitable that the government had to mandate localisation. (Na. Vijayashankar (aka Naavi), Information Assurance consultant)
  • Deterrent introduced by localisation: Indian law provides for evidence to be produced in court merely by access — no other country has that kind of provision. You’d normally need to seize the server in which data is stored for it to be submittable. By asking for localisation, there’s a deterrent introduced by making sure that there are individuals in India who can be held accountable by law enforcement. We need procedures and checks and balances in the system so that nobody is just able to call a company and coax data out of them. (Vijayashankar)
  • How lazy policymaking led to localisation: There’s a little bit of laziness with the government’s policy responses to these real issues that it has identified. There’s also a temptation to come up with regulation that gives the government a lot of leeway and to create laws that are against the rule of law. Coming up with a transparent and effective solution takes time and money and unfortunately we are not willing to do that. (Kesari)
  • Privacy vs informational privacy: This is informational privacy. Privacy is completely different from informational privacy. Localisation is very important. Even GDPR managed to localise a copy of a lot of data in the EU. It’s a baby step in the right direction. Concerns are on cost and compliance. This is the hour for a change in our DNA. (Deepa Vadivelan, Manipal Global)

Law enforcement access to data and sovereignty

  • Motive legitimate, but means questionable: We want a global India, and that aspiration cannot be denied. But the means with which we get there have to be thought through. One reason we’ve heard is law enforcement access to data. That’s a legitimate concern. Right now governments have to go through MLAT to get data, and sometimes they get data after two or three years. MLAT itself is a broken system. (Krishnamoorthy)
  • Localisation can’t solve access problem: Will localisation solve the problem of law enforcement access? And are there other ways to get data without localisation? Even if data is stored in Pune or Bombay, you can’t just step into the data centre and ask for information. You need a legitimate request and go through the process. Is localisation really the magic bullet for this problem? (Krishnamoorthy)
  • On ‘data sovereignty’: ‘Foreign’ companies like Microsoft and Salesforce are equally participating in the Indian growth story. Microsoft has nine or ten centres in India, its CEO is from India; Salesforce’s second largest in the world is in Hyderabad. (Krishnamoorthy)
  • Data is the new oil (and the new reason for localisation): It’s not that data localisation new. But it’s a tailored and specific requirement that is used to target specific harms. There’s a nationalist fervor riding localisation demands. This isn’t only about national sovereignty, but also tech sovereignty. Governments now think of data as a national resource. Tech sovereignty goes beyond economics and law enforcement. (Jyoti Panday)
  • Structural issues leading to ‘data colonialism’: It’s not only the firms that are imposing data colonialism — the way we’re building this technology itself means that profits are privatised and the risks are socialised. Data sovereignty is a good start — for instance using anonymised transit data for urban planning — but localisation is a harmful policy on multiple fronts. (Ranganathan)
  • Intransparent access to data abroad a concern: A large part of our online presence is available for access, access that we will never even come to know about. Eg. Snowden revelations. Some government sitting outside India getting our data should be worrying. (Amod Malviya, former CTO of Flipkart)

These points are not verbatim excerpts of the speakers’ remarks, and are edited for clarity.