We need a cost-benefit analysis of data localization
India’s draft Personal Data Protection Bill has sparked debate over data localization, with the government insisting on processing personal data within the country. Unlike other nations that restrict data transfers, India has made localization the default, an approach seen as out of character with its global trade stance.
This article was first published in The Mint. You can read the original at this link.
The furore over data localization reached fever pitch last week when an article in The Economic Times claimed that provisions in the draft Personal Data Protection Bill were being watered down to apply only to critical personal data. No sooner had it been published than the ministry of electronics and information technology issued a press release, stating that the news report was speculative. It clarified that all aspects of the draft bill were still under consultation and, when finalized, the draft law will address India’s data sovereignty concerns and provide a framework to boost innovation.
Data localization has proven to be a particularly polarizing topic in India over the past six months. While almost every international company (and a few domestic ones), have expressed concerns over the government’s insistence on requiring the personal data of Indian residents to be processed only within the country, almost as many voices have come out in support, claiming that data is a sovereign asset that must be used for the nation’s benefit and that we have been remiss in ceding control to foreign companies which now know more about us than we do ourselves.
The notion of data sovereignty is not a new one. Every modern privacy law has regulations that limit the transfer of data out of the country. The European Union applies an adequacy test, only allowing data to be transferred to countries that have at least the same level of data protection as the EU. Even within a group, data can only be transferred to companies in other countries if they have agreed to a set of binding corporate rules that apply EU privacy principles to intragroup data transfers. Transfers out of the group are only allowed if the transferee agrees to standard contractual clauses that have been pre-approved by EU data regulators. China, on the other hand, relies on a certification process that only allows data to be transferred abroad if the recipient has been approved and its data protection practices (with respect to storage, processing and protection) certified as meeting the prescribed standards.
Some countries have set up bilateral agreements for the transfer of data,the best known of which is the US-EU Privacy Shield that was arrived at in order to allow personal data flows between the US and the EU, even though US privacy laws were not adequate from an EU perspective. Other countries have similarly arrived at agreements for the transfer data on a multilateral basis. The APEC Cross Border Privacy Rules system allows the free flow of data between organizations in signatory nations based on certifications issued by accountability agents situated in each such jurisdiction. At the G20 summit in Osaka, Japan proposed a multilateral arrangement called “Data Free Flow with Trust" that proposes an inter-jurisdictional cooperation regime for information sharing, investigation and cross-border enforcement.
Sovereign nations have always found ways to exercise sovereignty over the personal data of their citizens. This has usually taken the form of restrictions on the movement of data across national borders. Businesses that operate transnationally are accustomed to this. They are used to frequently reorganizing their operations to comply with the latest restrictions imposed on the data they collect by the countries in which they operate—knowing that a failure to comply means they will have to process the data they have collected in-country.
Every modern data protection law contains provisions relating to conditional transfer restrictions. While their primary purpose is to set out the grounds under which data can flow between nations, what is implied but often left unstated is that if any or all of the conditions of transfer are not satisfied, the data that is sought to be transferred will have to be processed domestically. This means that even if not explicitly stated, all modern privacy laws have default localization provisions.
Seen from this perspective, what makes India’s approach so unusual is the fact that it has taken the conventional frame and flipped it on its head. Where every other country has recognized data transfers as the norm, permitting the free flow of data across borders and only applying restrictions to either address inadequacies in the legal regime or in the privacy practices of the recipient, India has made localization the default, prohibiting the movement of data across national borders in all but a limited number of circumstances.
I am not sure why we had to come up with this articulation. Ever since economic liberalization, India has been an active participant in global trade, a veritable poster boy for free trade and the cross-border flow of goods and services. One might argue that it is precisely this attitude of openness, this willingness to trade with everyone, that is the reason why we have been the recipient of such vast inflows of trade and foreign direct investment. Given our reputation for openness, this approach of requiring data localization by default seems somewhat out of character.
Data localization and restrictions on cross-border data flows are two sides of the same coin. Everything we think we’ll get by localizing data can just as easily be achieved through the careful application of restrictions on cross-border data transfers. We just need to take the trouble to look at the problem from a different perspective.