This post has been written by Founding Editor Viraj Ananth.
Early in 2018, Narendra Modi remarked before the World Economic Forum: “the flow of global data is creating that biggest opportunities and the greatest challenges.” Having acknowledged the economic importance of cross-border data transfer, the Indian Government’s regulatory response to the same has been questionable, to say the least.
On April 6, 2018, the Reserve Bank of India (“RBI”) issued the Storage of Payment Systems Data Circular (“Circular”), which directed all systems providers to ensure the storage, on Indian servers, (or localisation) of all payment data. Providers were required to complete localisation and submit a compliance report to the RBI by October 15, 2018.
Data localisation was also considered favourably by the Justice Srikrishna (Retd.) Committee (“Committee”), which was constituted to draft a data protection legislation for India. On July 27, 2018, the Committee submitted the draft Personal Data Protection Bill, 2018 (“Bill”) and the corresponding ‘A Free and Fair Digital Economy’ Report (“Final Report”). Curiously, while the Final Report only calls for the localisation of critical personal data, the Bill prescribes a considerably more burdensome requirement. S. 40(1) of the Bill mandates that every data fiduciary store a ‘serving copy’ of personal data on a data center or server located in India.
This post argues against the data localisation policies of the Government, analyses the harmful economic impact of the same on business in India, and finally concludes by suggesting alternate means of ensuring cross-border data flow while also addressing privacy concerns.
Why is Data Localisation a Contentious Subject?
Primarily, data localisation has been met with opposition on the ground that it is an economically inefficient and illogical policy. First, it would force companies to make additional investments to purchase cloud storage capacity in India, and this would particularly harm start-ups, for whom cost reduction is determinative of success or failure. Such start-ups would ordinarily choose to leverage more established and efficient foreign cloud services, operating on economies of scale. There also currently exists insufficient cloud storage capacity in the country to accommodate such volumes of data, and companies scaling up capacity would likely push a portion of the costs onto companies seeking their services.
Further, cloud servers are commonly located in cooler regions, to minimize cooling costs. Utilising natural and free air cooling in such regions is estimated to cut up to 40 percent of the capital costs of data centres. Accordingly, data centres located in a tropical region like India would require energy intensive conventional cooling systems to ensure optimal temperatures within the centre, and such additional costs are also likely to be pushed onto consumers.
Second, the business models of numerous foreign companies operating in India, rely on the ability to freely transfer data across borders. This is particularly problematic for payment companies, for example, since the RBI Circular makes no exemption for cross-border transfer and instead calls for absolute localisation, unlike the Bill which allows for such transfer subsequent to serving a copy in India. Such restrictions impinge on innovation and research and development capabilities, and more broadly, decreases business efficiency. Even with respect to localisation requirements under the Bill, companies would now be required to spend additional financial resources on storing copies in India, prior to sharing the same internationally.
There also exists a fair deal of ambiguity with respect to the nature of the serving copy required under S. 40(1) of the Bill. While the Final Report calls for a ‘live, serving copy’, the Bill only mentions ‘serving copy’. Such omission could either be intentional and indicative of the Government’s acknowledgement of the overly burdensome nature of a live requirement, or could merely be a drafting error. In any case, reading the requirement as a live copy would only further disproportionately impact entities doing business in India, as all data-in-transit would also need to be stored in real-time, in addition to data-at-rest.
Is the Government Justified in Imposing Data Localisation?
The Committee, in its Final Report, dealt extensively with the costs and benefits of a policy of data localisation. It is noteworthy that the Committee, in disregarding the issue of economic impact on smaller entities in the country, placed heavy reliance on the fact that the scope of the requirement extended only to critical personal data. The Bill, however, by extending the requirement to all personal data, significantly increases the onerous effects on such smaller entities, since a much greater capacity of storage would be required for all personal data.
One of the benefits highlighted in the Final Report is “building an Artificial Intelligence (“AI”) ecosystem”. The Committee notes “growth of AI is heavily dependent on harnessing data”, but fails to take cognizance of the fact that the mere presence of personal data within Indian geographical limits does not amount to access to the same. Unless the Government is able to satisfy the exemptions listed in Chapter IX of the Bill, it would be unable to gain access to and ‘harness’ such data. Data fiduciaries (and data subjects, of course) will continue to exercise exclusive control over such data even when it is stored in India.
On the enforcement front (which is the Government’s most significant concern) as well, improvements will be marginal at best, as companies will not merely sit idle while the Government assumes free access to their data and floods them with requests for the same. Law enforcement access can instead be bolstered through a holistic involvement of the data fiduciary’s Data Protection Officer (“DPO”), who could be held accountable by the Government, for providing access to data when required under law.
With respect to the localisation requirement under the Circular, even if the benefit of “better monitoring” is indeed achieved, the means used to obtain such benefit is unreasonable as it provides no scope for cross-border transfer of data. Accordingly, the economic costs of such a policy outweigh the marginal increase in monitoring capabilities.
Is There Any Way Around the Requirement?
The Bill introduces an interesting nuance to this question, through a joint reading of S. 40(1) and S. 3(29), which defines ‘personal data’. Since the scope of S. 40(1) only extends to personal data, any data which is not ‘personal data’, will not be required to be localised. As per S. 3(29), personal data is “data about or relating to a natural person who is directly or indirectly identifiable.” Accordingly, a data set, through which it is no longer possible to identify an individual, either directly or indirectly, will not constitute personal data for the purposes of S. 3(29) and S. 40(1).
A data set would no longer be capable of indirect identification once the same has been anonymised. Under S. 3(3), anonymisation is defined as “the irreversible process of transforming or converting personal data to a form in which a data principal cannot be identified, meeting the standards specified by the Authority.” It is opined that two interpretations may be derived from this definition: first, that in order to constitute anonymised data, the process must be completely irreversible, with no chance of re-identification. Second, that the standard to be met to be classified as anonymised is one lower than absolutely irreversible and is “to be specified by the authority.”
The first and stricter standard is analogous to the ‘legal means’ test adopted by the European Court of Justice in the Breyer case. According to this (now outdated) test, as long as the fiduciary possesses the legal means to obtain the data, the possibility of re-identification is significant and the data cannot be considered as sufficiently anonymised. However, if the Final Report is relied on for interpretative value, it leads to the implication that the latter, lower standard must be adopted. The Committee notes that in determining whether a data subject is indirectly identifiable, regard must be had to numerous objective factors, such as the cost and time required to re-identify and the state of the technology used to anonymise the data. This standard is analogous to the reasonably likely test, prescribed under Recital 26 of the General Data Protection Regulation (“GDPR”).
This latter interpretation is further strengthened by the Committee’s observation that the standard of re-identification adopted should not be so onerous as to “have the effect of minimal privacy gains at the cost of greater benefits from the use of such data sets.” Accordingly, if fiduciaries employ a privacy by design approach, as per which the cost and time required for re-identification are made disproportionately high, this might take such data sets beyond the scope of personal data and consequently, exempt the same from the localisation requirement under S. 40.
As noted earlier, the detrimental economic impact of a data localisation policy will be felt most by small businesses and start-ups. While established companies have the resources to leverage the more cost-inefficient Indian storage capabilities, start-ups will struggle to accommodate heightened costs. Accordingly, it is suggested that the Government implement an exemption similar to that prescribed in the (now withdrawn) Draft e-Commerce Policy. Clause 2.2 of the Policy provides that start-ups, up to a turnover of Rs. 50 Crore, are to be exempted from data localisation requirements under the policy. Similarly, in the context of the Bill, start-ups may, for example, be provided regulatory latitude to only localise sensitive data, since the privacy gain by extending this to all personal data is minimal, while the economic costs to such entities would be disproportionate.
The Unique Identification Authority of India (“UIDAI”) must take a conscious decision with respect to the standard it chooses to prescribe, to the definition of anonymisation under S. 3(29). If, for example, fiduciaries are able to sufficiently aggregate data, effectively delete personal identifiers from the same and further, utilise numerous anonymisation techniques such as masking, suppression and perturbation, such that re-identification cannot be achieved through reasonably likely means, fiduciaries should be exempted from the S. 40 requirement. However, despite the economic utility of such a move, as well as the absence of a privacy threat, the UIDAI may still choose to prescribe the higher standard to cater to the Government’s ‘enforcement’ mandate.
The European Union’s GDPR, in putting not enforcement, but privacy concerns at the fore of the cross-border data transfer debate, does not mandate data localisation. Instead, it provides for an effective means of safeguarding privacy while still ensuring the free flow of data, i.e. data adequacy. As per Art. 45 of the GDPR, countries shall be designated as data adequate by the European Commission, having regard to their data protection legislations, supervisory authorities and international commitments. Subsequent to such determination, personal data may freely be transferred, without the requirement of specific authorisation. By ensuring data is only transferred to countries with equal or better protection than India, and further, by having only one and not two physical copies of the data, privacy concerns are mitigated, while still deriving the economic utility of cross-border transfers.
Accordingly, even if the RBI continues with its localisation mandate, it should also provide for cross-border transfer of the same, subject to such adequacy determination. Allowing such cross-border transfer would in no way trigger the only significant harm identified in the Final Report, i.e. foreign surveillance. The Report clearly highlights that surveillance is particularly detrimental only in case of certain types of critical personal data, such as genetic, biometric, health data and Aadhaar number, for example. As a result, if such critical personal data is absolutely localised, allowing for the cross-border transfer of payment and financial data will not trigger the associated harm, but will allow businesses to flourish.
There is near absolute consensus on the wide-ranging economic benefits of fostering cross-border data transfers, with the Indian Government itself having acknowledged the same on numerous occasions. The Government’s data localisation policies, however, by significantly depriving business of said benefits, will likely drive numerous business out of the country, while stifling many others. The benefits sought to be achieved by the Government are, if at all, only tangentially achieved, with disproportionate costs flowing from the same.
Moving forward, there are ways to accommodate economic growth and particularly, the cross-border transfer of data, within the data protection and privacy framework of the nation. However, what stands in the way of such accommodation is the over-paternalistic approach of the state and its emphasis on the enforcement mandate, and this approach stands to undo much of the progress made on the Ease of Doing Business front.