Have you ever wondered, where do all your personal information and financial data get processed and stored, well, most of our data get stored outside India and how any country organisation or even an individual can use it for its profit
If not then this article is a must-read for every one of you, every time you do anything on the internet, some amount of personal data get generated and stored in the servers present around the world?
Companies and governments around the world spend a bulk amount of money working on these big data sets that may be analysed using sophisticated software to reveal patterns, trends, and unions, especially concerning human behaviour and interactions.
Data localisation according to the Indian context, simply means that all the critical and essential user data which is collected must be stored and processed within the Indian geographical parameters and not on any cloud servers located outside India.
This is a must for securing citizen data, for better data sovereignty, national security, and economic development of the country.
Does that mean hackers can’t gain access to our information?
Importance of data localisation
Data is the new oil, an economic resource, which will fuel the fourth industrial revolution.
The Cambridge Analytica data breach which happened in 2018 when the data of millions of Facebook users’ was extracted without their consent by Cambridge Analytica,
To help political leaders in harvesting vote using human physiological behaviour and thus guessing about their personalities, interests and political affiliations, etc.
Then they displayed the targeted content of their patrons and the big data buyers on these Facebook profiles in to help them in their political campaigns and personal gains.
One of the primary needs for data localisation is to curtail unregulated and erratic use of personal data and to protect the private and financial information of the Indian citizens from foreign surveillance and to give Indian governments and law enforcement agencies the jurisdiction to access this data when required.
Using data and various AI tools Consumer habits can be studied, and policies can be framed which can impact the state in a positive way
In 2014, Cross-border data flowed contributed 2.8 trillion dollars to the global economy; according to research, it is expected to reach 11 trillion dollars by 2025.
Singapore has used this big data infrastructure and transport systems, other countries can also do the same
Things like machine learning (ML), artificial intelligence (AI), and the Internet of Things (IoT) can generate a tremendous amount of data, and this can be disastrous and can completely disrupt law and order if it gets into the hands of bad guys
With the emergence of cloud computing, Indian users’ data is outside the country’s peripherals, and it can lead to significant conflicts of jurisdiction in case of any dispute with any nation.
In in the age of global era when we are talking about going digital, and aiming for a digital economy, then it becomes prime importance for the government to store this big data inside Indian borders.
because there is a big market for data around the globe, anyone can purchase this data and can manipulate the Indians by showing them their desired things by taking account of their behaviour
Directly or indirectly, we all are laying our trust on global service providers, but with more and more information, it becomes a topic of concern about the end-use of such data.
For the time being, India can sign Mutual Legal Assistance Treaties (MLAT) with more and more countries to streamline the flow of data.
Data localisation is critical for law enforcement agencies, in case of any security breach or national threat, India cannot be dependent on the whims and fancies, and the lengthy legal processes of another nation that is hosting data generated in India.
|India has signed Mutual Legal Assistance Treaties (MLAT) with 42 countries for their cooperation and assistance in matters related to criminal activities.|
With the introduction of strict data localisation laws, various companies will be compelled to store Indian users data inside the Indian boundaries, which can bring investment, Datacenter industries and firms can get benefits.
When 5g arrives in the world in a full-fledged manner than a tremendous amount of data will get generated from every region of the world, its right time for the Indian government, to step into this technology
It can help IT and telecom infrastructure players to grow. It is the right time for Indian technology companies to evolve from traditional services and provide next-generation services and products to the world. International players of IT industries will also be looking at the Indian market, and this will help in the growth of the local ecosystem.
More data centres inside India could mean new, power-hungry clients for India’s renewable energy market. It can provide an instant boost to India’s renewable energy.
It will provide Very low or negligible latency due to the proximity of the data centre from the organization thus it will improve the page load speed of the website for anyone sitting inside India
Data localisation mandates in other countries
China: they mandate strict data localisation in servers within Chinese borders. some reports see data protection laws in Vietnam and China as being similar
Brazil, Japan, Korea, and New Zealand have put in situ data protection laws.
Australia and Canada: they are stiff on the protection of their health data
Vietnam: It mandates one copy data collected to be stored locally and for any company that collects user data to own a native office, quoting national interests of their country
Chile has the Data Privacy Act which regulates the treatment of personal information in public and private databases.
United states – the U.S. has no universal data protection law at the Federal level. However, it does have individual regulations like the HIPAA (Health Insurance Portability and Accountability Act of 1996) for health care, another for payments, etc
RBI mandate on Storage of Payment System Data
On April 6, 2018, RBI issued a circular which directed all payment services providers undertaking operations in India to make sure that data of individuals stored in their payment servers should be stored in data servers located within the territorial jurisdiction of India.
The RBI later clarified that in certain situations, data could also be stored abroad if the transaction involves cross border transaction
consisting of a far off component and a domestic component if required a replica of the local data can also be stored abroad
The clarifications also state that the banks, especially foreign banks, that were earlier expressly permitted to store banking data abroad, may still do so;
however, in respect of domestic payment transactions, the info shall be stored only in India
The details that are to be stored in India include every minute transaction details and knowledge concerning payment or settlement transaction that’s collected/ transmitted/processed as a part of a payment.
This might comprise – customer data; sensitive payment data (customer and beneficiary account details); payment credentials; and, transaction data (transaction reference, timestamp, amount, etc.)
Personal Data Protection Bill 2019
The PDP bill or Personal Data Protection Bill, 2019 was first presented as a draft in 2018 prepared by a high-level expert group headed by the former Supreme Court judge B.N. Srikrishna and was introduced in the Lower house by, Mr Ravi Shankar Prasad(Union Minister Law and Justice, Electronics and Information Technology and Communications ), on December 11, 2019.
The Bill seeks to provide for the protection of personal data of individuals and aims to establish a Data Protection Authority for the same.
This can also Seek to update incomplete, inaccurate, or out-of-date personal data from individuals or firms
But this bill has received severe backlash from several experts and media outlets because of the unrestricted right that the legislation provides to the government to access private data,
However, the Personal Data Protection Bill, 2019 does provide some respite to the uncompromising data localisation rules. Under the private Data Protection Bill, 2019, personal data has been sub-categorized into two categories:
(i) Sensitive Personal Data
While sensitive personal data is explicitly defined, critical personal data is described as such personal data that may be notified by the Government.
The bill relaxes data localisation restrictions and applies them to only important and sensitive personal data.
The private Data Protection Bill, 2019 removes the clause of mandatory storage of all personal data within the country.
Under the 2019 bill, those sensitive personal data which are often transferred outside India have to be stored inside India also.
Furthermore, sensitive personal data will only we transferred abroad after the fulfillment of certain conditions, which incorporates obtaining clear-cut consent from the data principal and being in pursuance of a contract or an intra-group scheme that safeguards the principal data rights, while also ensuring liability on the data processor (fiduciary) if harm does occur
Additionally, sensitive personal data may be transferred abroad if the data which is to be processed has an adequate level of protection in that state jurisdiction and shall only be accessible by the authorities having jurisdiction for the enforcement of relevant laws when required.
The 2019 bill mandates that all processing of critical personal data outside India is prohibited.
However, the transfer of such critical personal data is permitted to a person or entity engaged in the provision of emergency services or health services in specified circumstances and to any entity or country approved by the Indian Government subject to the fulfillment of certain conditions,
and where the transfer of such data does not affect the security and strategic interest of India.
The other aspect is the use of personal processing data. This Bill allows the processing of knowledge by the data processor (fiduciaries) as long as the individual provides consent.
However, in certain circumstances, personal data are often processed without consent. These include:
(i) if required by the nation for providing benefits to the individual
(ii) legal proceedings
(iii) to reply to a medical emergency
Draft E-Commerce Policy
The Draft E-Commerce Policy proposes putting up a technological and legal structure for restricting the cross-border flow of data and put forth certain conditions for businesses regarding the collection and processing of sensitive Indian data locally and storing it abroad.
A framework would be created for enforcing certain restrictions on cross-border data flow generated by users in India by various sources, including e-commerce platforms, social media, search engines and data collected by these companies using IoT devices which are installed in public places
The 42-page draft addresses six main issues of the e-commerce ecosystem —
- Infrastructure development
- e-commerce marketplaces
- regulatory issues
- stimulating domestic digital economy
- export promotion through e-commerce