Data localisation must go, it damages the global Web
It may seem attractive based on notions of sovereignty, but it only ends up making personal data more vulnerable
OOn July 27, the Justice Srikrishna Committee submitted its report on the principles that will guide the framing of India’s data protection statute. With its report, the committee also submitted a draft Personal Data Protection Bill. Given that India remains an exception to the list of countries with data protection laws, this draft Bill is a welcome step. Regretfully, however, some of the committee’s proposals not only risk weakening privacy rights guaranteed under the Constitution, but also undermine the committee’s own stated objective of a free and fair digital economy.
One such recommendation is the requirement to mandatorily store a copy of all personal data on servers in India. This requirement needs reconsideration not only because it militates against the idea of a global Internet, but also because it fails to adequately consider surveillance harms, issues of data security and their detrimental effects on industry.
Usually, the rationale behind restricting cross-border flow of data is to prevent entities from circumventing their obligations under national laws for data protection, or to protect personal data from processing risks abroad. Viewed in this context, the requirement to retain only a copy of all personal data in India is curious as it fails to achieve either of the two objectives mentioned above.
As lawyer Chinmayi Arun has pointed out, this mandate appears to be geared more towards the State having access to personal data rather than a desire to protect it. The report suggests that such access is necessary for enforcing domestic laws, a legitimate state interest but advocating for increased access to personal data through mandatory localisation without adequately considering surveillance risks is unhelpful. Besides surveillancerelated harms, data localisation also imperils the security of the data itself. It reduces the choice available with data fiduciaries by forcing them to opt for local but less secure data centres. In a 2016 survey, India was ranked 36th out of the 37 countries surveyed for risks associated with operating data centres.
The committee’s view that localising data will aid the creation of a digital industry for emerging technologies is equally misplaced. Experts have argued that data localisation has an adverse impact on businesses, as it escalates their infrastructure and energy costs.
The requirement for mandatory data localisation may seem attractive based on notions of sovereignty, but it achieves little except damaging the character of the global Internet, making personal data more vulnerable in the process. Such a proposal is regressive and it is hoped a process of public consultation provides opportunity to deliberate it further.