For Data Protection Minus Data Residency
India needs laws on privacy and data protection. The chances of data breaches taking place from some node with lax security or the other of an interconnected mesh of nodes are growing by the day. And once a person’s biometrics have been compromised, they cannot be reissued like passwords. Intelligent policy formulation, after public debate involving all stakeholders, and enforcement of norms brook no delay.
Some technological fixes are on the horizon, with blockchains, the technology underlying bitcoins, promising the possibility of individual control over some crucial data. Even so, India will need both national legislation and binding agreements with other nations, to make optimal use of data. There is a growing cry to legislate data residency, the requirement that data on Indians should necessarily reside within India. While it is vital to protect personal data, it is futile to imagine that mere location of servers in a particular geography will take the data stored on them beyond external scrutiny. What is more germane is to formulate intelligent and enforceable domestic data protection rules and allow data portability only to other jurisdictions that offer similar protection and guarantees of protection to the data of Indians as well. The EU seeks to harmonise dataprotection laws across its member states precisely to allow cross-border data mobility without loss of data integrity.
Data portability is vital for two reasons. India has the potential to process much of the world’s data and cannot afford to be locked out of this opportunity because of its own restrictive policies on data mobility. Further, advances in artificial intelligence depend on access to all kinds of data, from which algorithms learn. India needs wide debate on global best practices in data protection, leading to firm policy.