Go beyond data localisation
Indian laws should apply regardless of where it is located
The recent Supreme Court ruling affirming that the right to privacy is indeed a fundamental right has naturally led to a review of the common practices regarding personal data of Indian citizens. That, in turn, has highlighted many grey areas pertaining to data protection. The court has constituted a five-member constitutional bench to consider the matter. It has also sent notices to several internet and social media companies, including multinational giants such as Google, Twitter, Facebook and its subsidiary, WhatsApp. These firms were asked to outline the practices regarding the collection, storage and usage of data of Indian users. In particular, the court asked if the data was being shared with third parties. The notices were triggered by a petition alleging that WhatsApp shared personal data with Facebook after the takeover.
The notices follow a government enquiry in August; the Centre had asked 21 major mobile handset manufacturers to outline what they did with the data collected from Indian users such as personal information, contacts, hobbies etc. These companies operate through local subsidiaries and have an incentive to aggressively analyse all Indian data. It is crucial in this regard that the data collected is generally stored on servers located outside India. Such data is mined and analysed extensively and, quite possibly, shared with affiliates, as Twitter admitted.
The government is believed to be contemplating a law to mandate data-localisation; in other words, requiring data on Indian users to be stored on servers within India and, hence, subject to Indian jurisdiction. At this instant, there is no law that explicitly guards either privacy, in general, or data privacy, specifically. Hence the data is currently in a legal limbo since the companies in question have not broken any law in locating data abroad and sharing it, if they have indeed done so. It is good that these questions are now being asked, even in the absence of legislative clarity. The Supreme Court ruling makes it imperative that a strong privacy law with robust safeguards is swiftly passed by Parliament. Any such law should protect the right to privacy of citizens and make it illegal for data to be shared with third parties without a citizen's explicit consent.
However, data localisation is a different matter. Relatively few countries have data localisation laws, and several undemocratic regimes such as China and Russia are advocates of such laws. Indian servers are not necessarily more secure than servers located abroad, given the occurrence of multiple leaks on a massive scale. What is more, the government can demand and receive full access to locally-stored data and, given the opacity of Indian surveillance protocol, data localisation could easily lead to egregious privacy violations. The crux of the matter is that this data is generated by Indian citizens. So Indian laws should apply, regardless of where it is located. Going by the example of relevant legislation in the European Union, the data should, in principle, belong to the individual citizen who has generated it. But to implement this in practice will require a carefully drafted privacy code that is passed into law as quickly as possible.