India’s data usage orders are outdated
Insisting all data on citizens should be stored inside the country will not help anyone
India has a long history of drafting laws to protect its companies. In the process, Indians themselves often suffer. That’s precisely what will happen if the government proceeds with plans to force companies doing business in India to store all customer data locally.
The first salvo in this campaign was fired in April, when the Reserve Bank of India ordered companies to store the “the entire data relating to payment systems operated by them “in a system only in India”. The central bank claimed this was necessary to ensure its “unfettered supervisory access” for “better monitoring”.
While India isn’t the only country to prevent companies from sending their data offshore, the RBI edict was unusually strict. Even Russia allows copies to be kept elsewhere.
Google, among others, has complained loudly that the RBI’s six-month deadline, which is approaching fast, is too short. Meanwhile, the government has begun considering a draft data-security law that requires datacentres for all companies be physically located within India.
India’s track record on the regulation of new technologies is abysmal. The RBI has been a particularly grave offender: India has yet to develop a proper digitalpayments infrastructure largely because the central bank stifled its growth at birth, insisting that telecom companies offering cheap money-transfer services become banks first.
Indian companies such as Airtel rolled out services in East Africa instead. Then, in 2014, the RBI required that every online card payment, even the smallest, go through a two-factor authentication process. To pay for an Uber in India, you have to enter your credit card password, swiping at your phone in the rain or blinding sun, even if your ride has cost only $1.50. Perhaps many of these decisions would have been different if Indian bureaucrats had ever had to take a cab, transfer money to a village through an SMS or the like. Their distance from the country they seek to regulate unfortunately has few peers in the world.
The fact is that the arguments used to justify the need for data localisation simply aren’t persuasive. Proponents say, first, that places such as China do it. This barely requires a reply: China really shouldn’t be a model for anyone designing a free and open digital economy.
The second argument is that preventing foreign companies from repatriating and making money off of Indian consumers’ data will help Indian companies grow. If data is the new oil, then surely Indian companies should have exclusive access to Indian data they can mine?
This nativist instinct is in line with the rest of the national e-commerce policy, which openly seeks to tilt the playing field in favour of domestic companies. The panel that wrote the policy very noticeably excluded members from the big credit card companies, as well as Amazon and Uber.
But, for one thing, some existing “Indian” payments companies, such as the largely Chinese-financed Paytm, are Indian in name only. And localising data will wind up hurting Indian companies that seek to integrate with the world.
Another economic wall
Can you imagine the Indian businessprocess outsourcing industry surviving a data trade war? A borderless internet is what turned India into an IT services superstar. Localisation is just another kind of economic wall, not dissimilar to the tariffs that the government has begun to reimpose on imports after a generation of openness.
Finally, in a particularly Orwellian twist, the government has claimed that keeping data in the country will protect Indians’ privacy. In fact, that just means that Indian bureaucrats will be able to get their hands on it.
India’s privacy laws are weak; messages can be intercepted just on a senior security official’s say-so, with minimal oversight or accountability, and even this requirement is widely ignored. Moving Indians’ data from the relative security of US-based servers to ones that their own government can access with ease is not going to make them any safer.
Most Indians would trust Google’s commitment to its users much more than they would their government’s commitment to its citizens’ privacy. I certainly do.
When governments build barriers to protect companies, then consumers suffer, growth stagnates, and the entire country falls behind the rest of the world. Data localisation limits possibilities for India’s vibrant start-ups. They should be able to locate their servers wherever they want and use whatever cloud services make most sense for them. As for consumers, they have the right to access a free and unfettered internet and to use the highest-quality or cheapest online services they can find.
And, certainly, they have the right to store their personal data wherever they want. Moving to a “splinternet” would hurt people and businesses worldwide — but those in India more than most.