By Tuhina Joshi, Ikigai Law
Reading through the latest iteration of the draft e-commerce policy, which was released by the Department for Promotion of Industry and Internal Trade (DPIIT) on 23rd February, 2019, one might be tempted to conclude that it may well have been a data regulation policy.
In trying to “lay down strategies to address issues pertinent to the [e-commerce] sector”, the policy proposes strategies for regulating access to data (which the policy characterises as a “national asset”); mandating data storage requirements; and controlling cross-border data flows.
The data storage requirements suggested by the policy go above and beyond the framework proposed under the Personal Data Protection Bill, 2018 and severely limit the freedom of businesses to transfer or share sensitive data that is processed in India once it is outside the country, regardless of customer consent. As a result, these requirements effectively necessitate the setting up of data centres in India, to minimise the need for storing sensitive data on foreign servers. The policy acknowledges this necessity by devoting an entire chapter to the development of data centres in the country. Under this chapter, the policy recommends a time-frame of three years, within which businesses are expected to transition to “data storage within the country”. However, the policy fails to provide an explanation for why it chooses this particular time-frame. It is therefore worthwhile to consider the implications of this recommendation.
Practically speaking, building a data centre requires the availability of real estate for constructing the centre, uninterrupted electricity for powering it and water management and air conditioning systems for cooling. Simultaneous access to all three resources, that is, land, electricity and water can be difficult and expensive to acquire in India. Some of India’s most developed Tier-I cities continue to face power outages and water shortages to this day, to say nothing of the state of our Tier-II and III cities. At least three different studies have identified the difficulty of access to these resources as a serious issue affecting India’s readiness to adopt cloud infrastructure. Thus, any time-frame for transitioning to data storage in India must account for the time it would take for the government to address these systemic issues.
To add to this, data centre sites cannot be located in areas that are prone to floods, earthquakes and extreme heat conditions. As per the National Disaster Management Authority of India, more than 58.6% of our landmass is prone to earthquakes, 12% of our land is prone to floods and our hilly areas are prone to landslides and avalanches. This leaves us with a limited portion of the country’s landmass on which we can build data centres.
Given all of these factors, principled objections to data localisation aside, it seems like the policy’s recommendation for a three-year time-frame for transitioning to local storage for a country of 1.3 billion is clearly short-sighted and needs serious re-consideration.
Tuhina Joshi is a policy associate with Ikigai Law, an award-winning law firm focused on emerging technologies. She tweets at @tuhinajoshi11.