## Friday, February 22, 2019

### Data localisation in India: Questioning the means and ends

by Rishab Bailey and Smriti Parsheera.

Data localisation has become a recurring topic in Indian public policy debates. This has been prompted by moves such as the RBI directive in April 2018 mandating local storage of all payments-related data; the proposals in the draft Personal Data Protection Bill, 2018; and localisaton proposals in other sectors such as e-commerce and health. Calls for localising data are increasingly tied together with the narrative of "data colonisation", with localisation being seen as an antidote to control of global data sets by large multi-national corporations. At the same time, there are broader concerns about the growing relevance of the digital economy, its diverse socio-economic impacts and the limited ability of states to effectively regulate this space. In the absence of a global compact on issues such as privacy, cyber security, surveillance, and cross border data flows, data localisation is being seen as a tool, although a contested one, to exert national control over the digital ecosystem.

Much of the conversation around localisation has been centered around economic arguments, in terms of its compliance costs, impacts on the industry and overall economic growth. In a recent paper on this subject, we try to broaden this debate by classifying the arguments around localisation into three perspectives -- the civil liberties perspective, with a focus on expression and privacy rights; the government functions perspective, focusing on data access by state agencies for regulatory and law enforcement purposes; and the economic perspective referred to above.

Following an exploration of these different perspectives, we note that the overall costs of across the board data localisation norms are likely to outweigh its expected benefits. Yet, there may indeed be circumstances where a narrowly-tailored localisation requirement might be justified. Therefore, rather than implementing far reaching, but poorly thought out, solutions mandating data localisation, the current focus should be on building a transparent process for weighing the trade-offs of data localisation in different contexts. At the same time we must be equally cautious of sweeping "free flow of data" provisions in international trade agreements, which may amount to giving up the ability to adopt specific measures as and when a need is identified.

### What is data localisation?

The term data localisation generally refers to requirements for the physical storage of data within a country's national boundaries although it is sometimes used more broadly to include any sort of restrictions on cross border data flows (Chander and Le, 2015). Ferracane (2017) categorises such restrictions into two broad heads -- strict and conditional. The former category includes requirements of local storage or processing of data or, in stricter cases, a complete ban on transferring the data abroad. In case of conditional restrictions, the transfer of the data is made subject to the satisfaction of certain conditions, such as obtaining the consent of the user before transferring the data.

In the paper, we use the term in its commonly understood sense, implying the mandatory requirements of local data storage. This could be in the form of exclusive retention norms, which mandate that the data should be retained only on domestic servers, or the slightly less stringent version of data mirroring that compels at least one copy of the data to be stored locally.

Despite the attention it has garnered in recent times, the data localisation debate in not something new. As per a study conducted by the European Centre for International Political Economy, over 80 different localisation measures were introduced in the 64 countries studied by them in the last 50 odd years (Ferracane, Lee-Makiyama & de Marel, 2018). Links can however be drawn between the surge in data localisation measures in the last ten to fifteen years and the rise of the data-driven economy with accompanying social, economic and political consequences.

While some countries, like Russia, China, Vietnam and Indonesia, have opted for relatively broad based localisation requirements, most others tend to apply differential standards based on the nature of the data and the sector to which it pertains. To take a few examples, sectoral localisation norms are found in Australia (health data), France (data relating to judicial proceedings) and Germany (telecommunications metadata and tax accounting data) (Cory, 2017). It is also common to find localisation requirements for government and public sector data. India has also adopted localisation norms for certain specific types of data, such as public records as well as data held by telecommunications providers. Pursuant to the RBI's directive in 2018, all payments sector data is also required to be stored "only in India". The paper criticises the manner in which this decision was brought into effect, without sufficient articulation of the objectives; inadequate justification for choosing exclusive localisation as the most appropriate response; and absence of any public consultation.

In the sections that follow we outline the implications of localisation measures from the civil liberties, government functions and economic implications perspectives.

### Civil liberties perspective

While localisation may affect a number of rights, including those relating to business, property and association, the primary rights affected are that of privacy and freedom of speech and expression.

Privacy and security of data: The increasing privacy awareness in India, particularly after the Supreme Court's judgment in the Puttaswamy case and the Cambridge Analytica-Facebook incident, is often used as a peg to demand the localisation of personal data. This is also reflected in the Personal Data Protection Bill, 2018, which mandates the creation of local copies of all personal data (subject to certain exceptions). The Bill also requires exclusive domestic processing of certain categories of data, which are to be notified in the future. Given the increasing volumes of user data being generated and captured in the digital ecosystem and the possible harms that may occur from unauthorised uses of personal data, there is little doubt about the need for having appropriate legal and technical frameworks for data protection. It is, however, questionable whether merely locating data within the territory of India would actually make it any safer or less likely to be misused, particularly in the absence of a modern and well-functioning data protection law.

There are three sets of issues to be considered in this context:

1. Architectural issues: The first set of questions relate to whether localisation would lead to greater centralisation or decentralisation of data; and which of these would be preferable from a security and data protection perspective? Some argue that forced localisation would cause providers to spread their resources over a large number of locations, with reduced security at each level (Cohen et al., 2017). It is also argued that domestic enterprises may lack access to the necessary infrastructure and technical or human capacity to implement strong data security measures (compared to bigger, globally competitive entities based in jurisdictions of their choice) (Chander & Le, 2015). Kuner (2015) however points to the "jackpot problem" -- that hackers often target large global players, precisely because of their size and the quantity of user information they store. In addition, there is also the question of how data localisation requirements will be monitored and enforced and what this may mean from a civil liberties perspective.
2. Adequacy of current laws: While privacy has been recognised as a fundamental right, the institutional framework for enforcing this right still remains inadequate. Indian law also continues to grant wide powers of interference with privacy rights to the Government. Notably, the Government has broad powers to call for information under the Criminal Procedure Code and other surveillance related laws. In the absence of broader legal or regulatory reform, it is therefore questionable whether localisation will actually enhance privacy and security of personal data of Indians. It is worth noting in this respect that instead of insisting on mandatory localisation, alternative and less intrusive measures could also be considered to ensure the safety of data irrespective of its location. The European GDPR, for instance, utilises measures such as binding contractual rules and adequacy decisions to ensure that data is protected irrespective of its location.
3. Given the requirements for an interference with the fundamental right to privacy, as articulated by the Supreme Court in the Puttaswamy case, the onus would be on the state to demonstrate the proportionality and necessity of any localisation measures. This would involve demonstrating that no alternative, less intrusive means are available to reach the same end, which will be hard to justify in case of sweeping localisation measures.

4. Domestic and foreign surveillance: In the absence of adequate checks and balances in the law, localisation can enable more intrusive information gathering by local intelligence and law enforcement agencies (LEAs). While acknowledging this concern, it is sometimes argued that localisation would also limit the ability of foreign intelligence agencies to spy on Indian data. However, the sufficiency of this reason as a ground for localisation can be contested on three fronts. First, as noted above, localisation would make it easier for local agencies to carry out surveillance, both through legal as well as extra-legal means. Increased surveillance by domestic agencies would constitute a greater immediate threat to citizens compared to surveillance by foreign agencies. Second, legal developments such as the passage of the CLOUD act in the United States (US) authorise US agencies to access data stored abroad by US companies. Finally, given what we know about the pervasive and sophisticated nature of intelligence tactics used by several agencies, localisation may not actually stop them from accessing local data. To fully safeguard domestic data against any such interference will require a level of isolation from the Internet, which is not desirable or even possible in a modern democratic setup.
5. It therefore appears that localisation may increase domestic surveillance while the benefits with respect to foreign surveillance remain unclear. However, in this context one also has to keep in mind that while a citizen may have some protections against surveillance conducted domestically, this would be much harder in case of surveillance by foreign actors.

Ultimately, the degree of protection afforded to data depends on the effectiveness of the data protection regime and the technical measures being implemented. India is currently lacking on both parameters. Without such frameworks in place, using privacy or security of data or the possibility of a data breach as an explanation to mandate localisation appears far-fetched or, at best, premature. In general, the interests of Indian users would be better served by making sure that the relevant data is adequately protected, irrespective of its location, by putting in place a comprehensive law covering issues of data retention, access by regulators, courts and LEAs and safer mechanisms for cross border data transfers.

Freedom of speech and expression: As far as the effects of localisation on expression rights are concerned, one must keep in mind that an essential characteristic of the Internet is the ability to send and receive information freely across borders. This global access enables the Internet's generativity -- the capacity to enable unforeseen innovation; which could be harmed by broad localisation norms. While merely locating data in a country does not in itself make it vulnerable to censorship (or surveillance); data would certainly be more vulnerable if the country the data was located in had laws that gave the state greater powers of restricting access to content, or if it lacked the capacity or will to ensure proper oversight of its executive agencies.

The Indian state has been increasingly resorting to broad based censorship measures in the digital space. Examples of this include the proposal of requiring Internet intermediaries to undertake proactive monitoring of content on their platforms (Bailey, Parsheera and Rahman, 2019); and the increasing number and duration of Internet shutdowns. These instances indicate that localisation may provide yet another tool for the state to carry out censorship more easily and effectively.

Localisation could also mean that smaller entities or those that do not consider India to be a significant enough market to justify the financial and transactional costs of localisation could pull out their services. This is known to have happened in the European context post the enactment of the GDPR, which resulted in some online multiplayer games and foreign news websites becoming inaccessible to European users. It is also worth remembering that censorship of localised content could make it inaccessible all over the world (not just domestically).

One of the arguments put forth by the Justice Srikrishna Committee in support of localisation is that it would reduce the vulnerabilities that India may face in case of any breach in undersea cables and resulting disconnection from the Internet. We believe that the benefits to speech rights, which may result in that (low probability) circumstance, are offset by the real threat of increased censorship and denial of access to media and services on an ongoing basis.

### Government functions perspective

It is the duty of a state to ensure that individuals are adequately protected and have an effective remedy for breach of their rights. This requires state agencies to have appropriate tools for the investigation and take down of illegal content, in accordance with the procedure established by law. Equally, regulatory entities also have genuine requirements to access data in connection with the discharge of their functions. It has however been noted that jurisdictional and other barriers often make it difficult for domestic agencies to gain legitimate access to the required data. The absence of broader international agreements on cross-border data sharing and complexity or delays in the processes under mutual legal assistance treaties (MLATs) further complicate this problem.

On the face of it, it therefore appears that localisation would aid law enforcement and other domestic institutions to implement local laws more effectively. It would also not be a stretch to argue that companies are far more likely to respond to requests from local authorities in circumstances where these agencies are in a position to take punitive action against physical infrastructure or personnel. However, a closer examination may lead one to question whether localisation will indeed help enforce laws or secure regulatory access on account of the factors listed below.

1. Location not the only determinant: Location is not the only determinant of lawful access by LEAs and regulatory agencies. A significant amount of data flows are encrypted in nature. In fact, regulatory entities such as the RBI themselves mandate encryption of certain forms of data. This implies that even if the data is stored locally, authorities have to go through the process of making lawful decryption requests before the data is accessible to them in a usable form. The Apple-FBI situation where the company refused to decrypt data for the FBI illustrates the kind of barriers that may be faced in this process.
2. Need for proportionate measures: Localisation may not always be the proportionate or least intrusive measure to ensure regulatory access or compliance with local laws. For instance, the entities captured by the RBI directive for the payment sector, already have various reporting and access requirements by virtue of being licensed service providers. These could be made more stringent without a need to localise the data. Similarly, tax laws are also evolving to account for cross-jurisdictional activities -- for example, through the "equilisation" levy adopted in 2016 and the more recent development on taxation based on "significant economic presence" irrespective of having a place of business in India.
3. Legitimacy of requests: The apparent unwillingness on the part of global intermediaries (such as Google and Facebook) to comply with government requests for information, does not necessarily imply a recalcitrance on the part of these business to comply. It may for instance indicate vague or improper requests being made by the Government and its agencies. That said, anecdotal evidence, whether in the form of the Snowden revelations or otherwise, does reflect a significant mismatch in the information sharing by large Internet intermediaries with Governments in their home countries compared to countries such as India.

To the extent that legitimate Government access remains a problem, the existence of less intrusive measures that could achieve the same ends needs to be explored. For instance, the Telecom Regulatory Authority of India had noted in its cloud computing recommendations that India should try and sign more MLATs and more holistic ones, which could also include mechanisms for electronic processing of requests. The private sector could also be encouraged to adopt electronic reporting mechanisms for government requests. For instance, reports suggest that Apple is already working on such a platform. At the same time, more work needs to be done on identifying the specific problems being faced by law enforcement or other agencies in accessing any specific types of data; the responsible stakeholders and targeted interventions that may be adopted. Where necessary, such measures may include limited localisation. This may, for instance, mean requiring specific categories of providers to keep a copy of the data within the country, if it can be clearly demonstrated that immediate and on-demand access to specific types of data is necessary for the discharge of specific state functions and the same cannot be achieved through other less intrusive means.

### Economic perspective

The third set of arguments one sees in the context of localisation relate to issues of the Internet economy and costs of localisation measures. We consider three issues in this context: first, the macro and micro economic costs of localisation; second, the effects on the local economy in terms of inviting reciprocal measures, boosting competition in the sector or aiding local manufacturing or AI industries; and finally, we examine how localisation related measures are increasingly becoming a part of the international trade discourse.

Costs and impacts on the economy: One of the main arguments against mandatory localisation stems from the cost that it is likely to impose on businesses and consequently, consumers and the economy as a whole. Widespread localisation norms will mean that businesses and other users -- both domestic and foreign -- will no longer have the flexibility to choose the most cost-effective or task-specific location to store their data. In addition to reducing the benefits made possible through economies of scale, companies will also need to duplicate infrastructure in multiple jurisdictions. The global nature of the Internet has also enabled numerous cross-jurisdictional services, platforms and functions - ranging from high-end cloud based services to detection of fraud in credit card systems using cross-jurisdictional data. These costs / efficiency losses will ultimately be passed onto consumers in the form of higher costs of service or reduced functionality.

While several sources refer to the cost implications of localisation, there are only a handful of studies that actually attempt to quantify the potential economic gains or losses. The most oft quoted (though not uncontested) study on this subject has been released by the European Centre for International Political Economy. This predicts a reduction of the Indian GDP by almost a percentage point should broad localisation measures be introduced (Bauer et all, 2014). The authors note that any gains stemming from data localisation are too small to outweigh losses in terms of welfare and output in the general economy. Another study points to how forced data localisation laws would require companies to pay 30-60 percent more for their computing needs (Leviathan, 2015). Two newer studies however demonstrate that while restrictions on cross border data flows inhibit trade and services, policies targeting the uses of data, which include measures ranging from data retention requirements to government access and data breach notification norms, have a much larger negative impact on productivity (Ferracane and van der Marel, 2018; Ferracane, van der Marel & Kren, 2018)

Looking at the digital ecosystem in India, it appears that the costs imposed by broad localisation measures would be non-trivial, given the underdeveloped state of India's data center infrastructure. A part of this is due to the costs involved in building large data centres, the absence of proper downstream infrastructure such as uninterrupted power supply as well as weather conditions in India which necessitate greater expenditure on cooling. Notably, a Gartner study in 2015 found that India held just about 1.2 percent of the world's data center infrastructure and 5.23 percent in the Asia-Pacific region (IAMAI, 2016). Taking into account factors like energy cost, international bandwidth, ease of doing business and taxation provisions, the Cushman and Wakefiled (2016), Data Center Risk Index score placed India at thirty sixth position, with a score of 47.84 (out of a highest score of 100). Essentially, present conditions make it uneconomical and inefficient to host large quantities of data in India. The now abandoned report of the draft e-Commerce Task Force (2018), also acknowledged this fact. It highlighted the need for capacity development in terms of infrastructure for data centres, improvements in power supply and tax benefits before mandating full data localisation.