Print This Post
4 July 2019, Gateway House

Decoding data localisation

Data localisation, or the practice of physically storing data on servers located within a country, has become a subject of robust debate after India introduced data localisation provisions in its domestic laws. India’s position is not unique; China and Russia too have similar laws. It has pitted countries against each other. This Gateway House primer explains the complexities of data localisation and its elements

Senior Researcher, International Law Studies Programme

post image

Data storage and data protection are the urgent focus areas of governments and private institutions around the world. The current debate generated by India’s stand on data localisation, has its origin in the provisions of local laws on data of countries like China, Russia and now India, in contrast to the laws of the US, Japan and some EU nations. Foreign governments and companies have strongly opposed India’s localisation norms. At the recently-concluded G20 Summit in Osaka in June 2019, Japanese Prime Minister Shinzo Abe introduced the concept of “Data Free Flow with Trust”, in the background of the heated WTO e-Commerce negotiations. India’s Economic Survey 2018-19 of 4 July 2019 has a full chapter on data, and proposes that India view data as a public good.[1]

Datascience_option1(higherres)

Here are some fundamentals about data localisation.

1. What is data localisation?

Data localisation is the practice of physically storing data on servers located within a country’s  territory.

Data localisation can be of different types such as:

a. storage of data only on local servers; or
b. storage of data on local servers as well as foreign servers.

2. What are the different types of data?

Data is typically referred to as ‘personal data’ that encompasses personal, public and corporate data. It includes:

a. Personal data of two types: (i) natural person or individual like Aadhaar or medical information, which covers sensitive personal data, such as passwords and biometrics; and (ii) an entity, i.e. a company, a college etc.;
b. Public data: government data like the Census.

3. Where is India-generated data currently stored?

The most popular hosting location in the world is the U.S. which has 42% of the host servers of the world’s top 1 million sites.[2] This is followed by Europe, with 31% of host servers. Most of the data generated in India by global companies is stored on foreign servers. For example, Amazon India stores the data generated in India on foreign servers.[3] This is because India has limited infrastructure and as yet no central legislation that mandates where data should be stored.

There are new business opportunities to be had in the data localisation space, such as enhancing transaction speed, thus contributing to business efficiency.

4. What are the arguments in favour of and against data localisation?

a. Countries support localisation for the following reasons:

(i) Strong regulatory oversight: better control by the country’s government over businesses operating within its jurisdiction
(ii) National security including effective law enforcement: instant and 24×7 access to data
(iii) Risk mitigation: prevents hacking and phishing attacks which are on the rise globally
(iv) Data sovereignty: protection from foreign surveillance

b. Countries oppose localisation for the following reasons:

(i) Excessive compliance – and therefore additional costs – for companies
(ii) Increased capital investment for building data infrastructure by companies
(iii) Discourages innovation – especially of start-ups and the SME sector
(iv) Barrier to trade and investment
(v) Sets a unilateral precedent for other countries to emulate 

5. Is data storage the same as data localisation?

No. Data storage is the act of retaining data on a storage medium. It is the overarching concept of which data localisation is a sub-set.

Data can be stored anywhere:

a. on foreign and Indian servers;
b. only on Indian servers; or
c. only on foreign servers.

The localised storage of data occurs in a. and b.

6. What is cross-border flow of data?

Cross-border flow of data is the movement or transfer of data from a server located in one country to a server in another country

7. Is cross-border flow of data different from data localisation? What is the link between the two?

Data localisation and cross-border flow of data can run concurrently subject to a country’s law. For example, Country A may mandate storing a copy of the data on the servers located in its territory, but it may also allow the flow of data, whether provided by the local law on data or by a bilateral agreement, with another country/ countries.

8. What is data ownership?

The person to whom the data relates and who has legal rights over their data, is the data owner.

A data owner is often referred to as a ‘data principal’ or ‘data subject’ under local legislations. For example, under India’s Personal Data Protection Bill, 2018, a data principal is the person to whom the data relates.[4]

The global discussion on data ownership, a concept which is more fundamental than localisation, is at a nascent stage. It will be valuable if a discussion on data ownership is introduced along with the current debate on localisation. This will help provide clarity on ownership, and thereby localisation, to stakeholders at an early stage.

9. Is data usage different from data processing?

Data usage flows from data ownership. Data processing is a technical term for data usage.

10. What is data mirroring?

Data mirroring is the practice of taking a copy of the data to or by another country, subject to local laws. For example, under the current Personal Data Protection Bill of India, data mirroring is allowed for personal data, but excludes sensitive personal data like biometric scans, sexual orientation and passwords.[5]

11. What is data sovereignty?

Data sovereignty means that data is subject to the laws of a country.

12. Is data privacy the same as data protection?

No. There is a fine distinction between data privacy and data protection. Data protection is the mechanism of securing data from unauthorised or unlawful access. On the other hand, data privacy is a legal concept that governs the control and use of the data.

In India, in August 2017, the Hon’ble Supreme Court of India held the right to privacy to be a fundamental right under the Constitution of India in the landmark case of Justice K.S. Puttaswamy (Retd.) & Anr. v. Union of India and Ors.[6]. This was followed by the Sri Krishna Committee Report on data protection, which is the basis of India’s Personal Data Protection Bill, 2018. It adopted the Supreme Court judgment, defining data privacy as the “right to autonomy and self-determination in respect of one’s personal data”.[7]

In practice, as opposed to theory, data privacy and data protection are often used interchangeably. As the global and domestic frameworks on data evolve, so will a distinction between the two concepts. The concept of data privacy is embedded in the Personal Data Protection Bill, 2018.[8]

13. What is the Osaka Track on worldwide data governance?

The Osaka Track is a plurilateral framework to promote the cross-border flow of data, supplemented with increased protection. It was formally introduced by Japanese Prime Minister Shinzo Abe at the G20 Summit in Osaka in June 2019. The Osaka Track is based on the concept of “Data Free Flow with Trust” which calls for global rules on the free flow of data with adequate protection mechanisms. It seeks to encourage the interoperability of data regulatory frameworks in the interest of fast-paced development of economies.

Amongst the G20 member countries, India, South Africa and Indonesia have abstained from signing on to the Osaka Track.

14. What is the extant (existing) data protection legislation in India?

At present, India does not have a central law on data protection. The Information Technology Act, 2000 and its allied rules, such as the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, contain limited provisions on data protection. A separate Personal Data Protection Bill, 2018, mooted to be India’s only central legislation on data protection (which includes data privacy), is awaiting Cabinet approval. It is expected to be considered in the ongoing monsoon Budget Session of the Parliament.[9]

Meanwhile, regulators and statutory bodies, such as the Reserve Bank of India (RBI) and the Telecom Regulatory Authority of India, have framed their own law on data. For example, a 6 April 2018 notification,[10] issued by the RBI, mandated data localisation[11] for payments systems operating in India. Foreign companies such as Mastercard have strongly opposed the RBI notification because of the adverse impact it has on the company’s data processing on a global scale, and the capital investment to build the requisite data infrastructure in India.

15. What is India’s stand on data localisation?

India believes that data localisation is critical, given the large amount of data generated in India. By 2020, India is projected to generate 2.3 million petabytes (1 petabyte = 1 million GB) of data, which is twice the growth of the global rate.[12]

16. What is the stand of other nations on data localisation?

China supports India on data localisation; it understands the potential of data generated in a large consumer market. China has implemented a stringent law on data localisation which is broad in its scope and application.[13] Countries like Russia, Brazil, Vietnam, Indonesia, Brunei, Iran, Australia, South Korea and Nigeria have also introduced data localisation legislations.

In contrast, the U.S. and Japan are examples of countries which oppose data localisation. They support the free flow of data across borders. Even though the U.S. is against data localisation, in 2018, it enacted a federal legislation, Clarifying Lawful Overseas Use of Data (CLOUD) Act, which allows the U.S. government to lawfully request for data stored overseas by entities that are subject to U.S. jurisdiction, including U.S. companies and their subsidiaries. For example, if a subsidiary of Apple Inc. U.S. has data stored in the EU or India, U.S. law enforcement authorities have the right to access that data.

Some of these answers are also informed by research papers done by NIPFP and CIS:

Ambika Khanna is Senior Researcher, International Law Studies Programme, Gateway House

Designed by Daniella Singh, Design Associate, Gateway House.

This article was exclusively written for Gateway House: Indian Council on Global Relations. You can read more exclusive content here.

For interview requests with the author, or for permission to republish, please contact outreach@gatewayhouse.in

© Copyright 2019 Gateway House: Indian Council on Global Relations. All rights reserved. Any unauthorized copying or reproduction is strictly prohibited.

References

[1] Ministry of Finance, Government of India. Economic Survey 2018-2019. Delhi: Government of India, July 2019. Accessed 4 July 2019. <https://www.indiabudget.gov.in/economicsurvey/>.

[2] Dobbs, Richard, James Manyika, and Jonathan Woetzel. Digital Globalization: The New Era of Global Flows. New York: McKinsey Global Institute, 2016. Accessed 4 July 2019. <https://www.mckinsey.com/~/media/McKinsey/Business%20Functions/McKinsey%20Digital/Our%20Insights/Digital%20globalization%20The%20new%20era%20of%20global%20flows/MGI-Digital-globalization-Full-report.ashx>.

[3] “Amazon.in Privacy Notice.” Amazon.in. Accessed 4 July 2019. <https://www.amazon.in/gp/help/customer/display.html/?nodeId=200534380>.

[4] Ministry of Electronics and Information Technology, Government of India. The Personal Data Protection Bill, 2018. Introduced on 27 July 2018. <https://www.meity.gov.in/writereaddata/files/Personal_Data_Protection_Bill,2018.pdf>.

[5] Ibid.

[6] WP (Civil) No. 494 of 2012.

[7] Committee of Experts under the Chairmanship of Justice B.N. Srikrishna, Ministry of Electronics and Information Technology, Government of India. A Free and Fair Digital Economy: Protecting Privacy, Empowering Indians. Submitted on 27 July 2018. <https://www.meity.gov.in/writereaddata/files/Data_Protection_Committee_Report.pdf>.

[8] Ibid at iv.

[9] PRS Legislative Research. “Session Alert – Budget Session 2019 (17th LS).” prsindia.org. 22 June 2019. <https://prsindia.org/sessiontrack/session-alert/842097>.

[10] Reserve Bank of India. “Notification: Storage of Payment System Data.” Reserve Bank of India. 6 April 2018. <https://www.rbi.org.in/scripts/NotificationUser.aspx?Id=11244>.

[11] For storing data only in India; RBI issued a clarification in June 2019 which inter-alia allows conditional sharing of data with foreign regulators.

[12] Imboden, Kevin, and Raja Seetharaman. “India Poised for Massive Data Center Growth.” Cushman & Wakefield, Inc. 20 April 2018. <http://blog.cushwake.com/americas/india-poised-for-massive-data-center-growth.html>.

[13] The State Council of the People’s Republic of China. Cybersecurity Law of the People’s Republic of China (Draft) (Second Draft). 1 June 2017. English translation by AmCham China. <https://www.amchamchina.org/uploads/media/default/0001/05/b78e2db2b147c09b8430b6bd55f81bc8299ea50f.pdf>.

TAGGED UNDER: , , , , , , , , ,