Friday, February 22, 2019

Data localisation in India: Questioning the means and ends

by Rishab Bailey and Smriti Parsheera.

Data localisation has become a recurring topic in Indian public policy debates. This has been prompted by moves such as the RBI directive in April 2018 mandating local storage of all payments-related data; the proposals in the draft Personal Data Protection Bill, 2018; and localisaton proposals in other sectors such as e-commerce and health. Calls for localising data are increasingly tied together with the narrative of "data colonisation", with localisation being seen as an antidote to control of global data sets by large multi-national corporations. At the same time, there are broader concerns about the growing relevance of the digital economy, its diverse socio-economic impacts and the limited ability of states to effectively regulate this space. In the absence of a global compact on issues such as privacy, cyber security, surveillance, and cross border data flows, data localisation is being seen as a tool, although a contested one, to exert national control over the digital ecosystem.

Much of the conversation around localisation has been centered around economic arguments, in terms of its compliance costs, impacts on the industry and overall economic growth. In a recent paper on this subject, we try to broaden this debate by classifying the arguments around localisation into three perspectives -- the civil liberties perspective, with a focus on expression and privacy rights; the government functions perspective, focusing on data access by state agencies for regulatory and law enforcement purposes; and the economic perspective referred to above.

Following an exploration of these different perspectives, we note that the overall costs of across the board data localisation norms are likely to outweigh its expected benefits. Yet, there may indeed be circumstances where a narrowly-tailored localisation requirement might be justified. Therefore, rather than implementing far reaching, but poorly thought out, solutions mandating data localisation, the current focus should be on building a transparent process for weighing the trade-offs of data localisation in different contexts. At the same time we must be equally cautious of sweeping "free flow of data" provisions in international trade agreements, which may amount to giving up the ability to adopt specific measures as and when a need is identified.

What is data localisation?

The term data localisation generally refers to requirements for the physical storage of data within a country's national boundaries although it is sometimes used more broadly to include any sort of restrictions on cross border data flows (Chander and Le, 2015). Ferracane (2017) categorises such restrictions into two broad heads -- strict and conditional. The former category includes requirements of local storage or processing of data or, in stricter cases, a complete ban on transferring the data abroad. In case of conditional restrictions, the transfer of the data is made subject to the satisfaction of certain conditions, such as obtaining the consent of the user before transferring the data.

In the paper, we use the term in its commonly understood sense, implying the mandatory requirements of local data storage. This could be in the form of exclusive retention norms, which mandate that the data should be retained only on domestic servers, or the slightly less stringent version of data mirroring that compels at least one copy of the data to be stored locally.

Despite the attention it has garnered in recent times, the data localisation debate in not something new. As per a study conducted by the European Centre for International Political Economy, over 80 different localisation measures were introduced in the 64 countries studied by them in the last 50 odd years (Ferracane, Lee-Makiyama & de Marel, 2018). Links can however be drawn between the surge in data localisation measures in the last ten to fifteen years and the rise of the data-driven economy with accompanying social, economic and political consequences.

While some countries, like Russia, China, Vietnam and Indonesia, have opted for relatively broad based localisation requirements, most others tend to apply differential standards based on the nature of the data and the sector to which it pertains. To take a few examples, sectoral localisation norms are found in Australia (health data), France (data relating to judicial proceedings) and Germany (telecommunications metadata and tax accounting data) (Cory, 2017). It is also common to find localisation requirements for government and public sector data. India has also adopted localisation norms for certain specific types of data, such as public records as well as data held by telecommunications providers. Pursuant to the RBI's directive in 2018, all payments sector data is also required to be stored "only in India". The paper criticises the manner in which this decision was brought into effect, without sufficient articulation of the objectives; inadequate justification for choosing exclusive localisation as the most appropriate response; and absence of any public consultation.

In the sections that follow we outline the implications of localisation measures from the civil liberties, government functions and economic implications perspectives.

Civil liberties perspective

While localisation may affect a number of rights, including those relating to business, property and association, the primary rights affected are that of privacy and freedom of speech and expression.

Privacy and security of data: The increasing privacy awareness in India, particularly after the Supreme Court's judgment in the Puttaswamy case and the Cambridge Analytica-Facebook incident, is often used as a peg to demand the localisation of personal data. This is also reflected in the Personal Data Protection Bill, 2018, which mandates the creation of local copies of all personal data (subject to certain exceptions). The Bill also requires exclusive domestic processing of certain categories of data, which are to be notified in the future. Given the increasing volumes of user data being generated and captured in the digital ecosystem and the possible harms that may occur from unauthorised uses of personal data, there is little doubt about the need for having appropriate legal and technical frameworks for data protection. It is, however, questionable whether merely locating data within the territory of India would actually make it any safer or less likely to be misused, particularly in the absence of a modern and well-functioning data protection law.

There are three sets of issues to be considered in this context:

  1. Architectural issues: The first set of questions relate to whether localisation would lead to greater centralisation or decentralisation of data; and which of these would be preferable from a security and data protection perspective? Some argue that forced localisation would cause providers to spread their resources over a large number of locations, with reduced security at each level (Cohen et al., 2017). It is also argued that domestic enterprises may lack access to the necessary infrastructure and technical or human capacity to implement strong data security measures (compared to bigger, globally competitive entities based in jurisdictions of their choice) (Chander & Le, 2015). Kuner (2015) however points to the "jackpot problem" -- that hackers often target large global players, precisely because of their size and the quantity of user information they store. In addition, there is also the question of how data localisation requirements will be monitored and enforced and what this may mean from a civil liberties perspective.
  2. Adequacy of current laws: While privacy has been recognised as a fundamental right, the institutional framework for enforcing this right still remains inadequate. Indian law also continues to grant wide powers of interference with privacy rights to the Government. Notably, the Government has broad powers to call for information under the Criminal Procedure Code and other surveillance related laws. In the absence of broader legal or regulatory reform, it is therefore questionable whether localisation will actually enhance privacy and security of personal data of Indians. It is worth noting in this respect that instead of insisting on mandatory localisation, alternative and less intrusive measures could also be considered to ensure the safety of data irrespective of its location. The European GDPR, for instance, utilises measures such as binding contractual rules and adequacy decisions to ensure that data is protected irrespective of its location.
  3. Given the requirements for an interference with the fundamental right to privacy, as articulated by the Supreme Court in the Puttaswamy case, the onus would be on the state to demonstrate the proportionality and necessity of any localisation measures. This would involve demonstrating that no alternative, less intrusive means are available to reach the same end, which will be hard to justify in case of sweeping localisation measures.

  4. Domestic and foreign surveillance: In the absence of adequate checks and balances in the law, localisation can enable more intrusive information gathering by local intelligence and law enforcement agencies (LEAs). While acknowledging this concern, it is sometimes argued that localisation would also limit the ability of foreign intelligence agencies to spy on Indian data. However, the sufficiency of this reason as a ground for localisation can be contested on three fronts. First, as noted above, localisation would make it easier for local agencies to carry out surveillance, both through legal as well as extra-legal means. Increased surveillance by domestic agencies would constitute a greater immediate threat to citizens compared to surveillance by foreign agencies. Second, legal developments such as the passage of the CLOUD act in the United States (US) authorise US agencies to access data stored abroad by US companies. Finally, given what we know about the pervasive and sophisticated nature of intelligence tactics used by several agencies, localisation may not actually stop them from accessing local data. To fully safeguard domestic data against any such interference will require a level of isolation from the Internet, which is not desirable or even possible in a modern democratic setup.
  5. It therefore appears that localisation may increase domestic surveillance while the benefits with respect to foreign surveillance remain unclear. However, in this context one also has to keep in mind that while a citizen may have some protections against surveillance conducted domestically, this would be much harder in case of surveillance by foreign actors.

Ultimately, the degree of protection afforded to data depends on the effectiveness of the data protection regime and the technical measures being implemented. India is currently lacking on both parameters. Without such frameworks in place, using privacy or security of data or the possibility of a data breach as an explanation to mandate localisation appears far-fetched or, at best, premature. In general, the interests of Indian users would be better served by making sure that the relevant data is adequately protected, irrespective of its location, by putting in place a comprehensive law covering issues of data retention, access by regulators, courts and LEAs and safer mechanisms for cross border data transfers.

Freedom of speech and expression: As far as the effects of localisation on expression rights are concerned, one must keep in mind that an essential characteristic of the Internet is the ability to send and receive information freely across borders. This global access enables the Internet's generativity -- the capacity to enable unforeseen innovation; which could be harmed by broad localisation norms. While merely locating data in a country does not in itself make it vulnerable to censorship (or surveillance); data would certainly be more vulnerable if the country the data was located in had laws that gave the state greater powers of restricting access to content, or if it lacked the capacity or will to ensure proper oversight of its executive agencies.

The Indian state has been increasingly resorting to broad based censorship measures in the digital space. Examples of this include the proposal of requiring Internet intermediaries to undertake proactive monitoring of content on their platforms (Bailey, Parsheera and Rahman, 2019); and the increasing number and duration of Internet shutdowns. These instances indicate that localisation may provide yet another tool for the state to carry out censorship more easily and effectively.

Localisation could also mean that smaller entities or those that do not consider India to be a significant enough market to justify the financial and transactional costs of localisation could pull out their services. This is known to have happened in the European context post the enactment of the GDPR, which resulted in some online multiplayer games and foreign news websites becoming inaccessible to European users. It is also worth remembering that censorship of localised content could make it inaccessible all over the world (not just domestically).

One of the arguments put forth by the Justice Srikrishna Committee in support of localisation is that it would reduce the vulnerabilities that India may face in case of any breach in undersea cables and resulting disconnection from the Internet. We believe that the benefits to speech rights, which may result in that (low probability) circumstance, are offset by the real threat of increased censorship and denial of access to media and services on an ongoing basis.

Government functions perspective

It is the duty of a state to ensure that individuals are adequately protected and have an effective remedy for breach of their rights. This requires state agencies to have appropriate tools for the investigation and take down of illegal content, in accordance with the procedure established by law. Equally, regulatory entities also have genuine requirements to access data in connection with the discharge of their functions. It has however been noted that jurisdictional and other barriers often make it difficult for domestic agencies to gain legitimate access to the required data. The absence of broader international agreements on cross-border data sharing and complexity or delays in the processes under mutual legal assistance treaties (MLATs) further complicate this problem.

On the face of it, it therefore appears that localisation would aid law enforcement and other domestic institutions to implement local laws more effectively. It would also not be a stretch to argue that companies are far more likely to respond to requests from local authorities in circumstances where these agencies are in a position to take punitive action against physical infrastructure or personnel. However, a closer examination may lead one to question whether localisation will indeed help enforce laws or secure regulatory access on account of the factors listed below.

  1. Location not the only determinant: Location is not the only determinant of lawful access by LEAs and regulatory agencies. A significant amount of data flows are encrypted in nature. In fact, regulatory entities such as the RBI themselves mandate encryption of certain forms of data. This implies that even if the data is stored locally, authorities have to go through the process of making lawful decryption requests before the data is accessible to them in a usable form. The Apple-FBI situation where the company refused to decrypt data for the FBI illustrates the kind of barriers that may be faced in this process.
  2. Need for proportionate measures: Localisation may not always be the proportionate or least intrusive measure to ensure regulatory access or compliance with local laws. For instance, the entities captured by the RBI directive for the payment sector, already have various reporting and access requirements by virtue of being licensed service providers. These could be made more stringent without a need to localise the data. Similarly, tax laws are also evolving to account for cross-jurisdictional activities -- for example, through the "equilisation" levy adopted in 2016 and the more recent development on taxation based on "significant economic presence" irrespective of having a place of business in India.
  3. Legitimacy of requests: The apparent unwillingness on the part of global intermediaries (such as Google and Facebook) to comply with government requests for information, does not necessarily imply a recalcitrance on the part of these business to comply. It may for instance indicate vague or improper requests being made by the Government and its agencies. That said, anecdotal evidence, whether in the form of the Snowden revelations or otherwise, does reflect a significant mismatch in the information sharing by large Internet intermediaries with Governments in their home countries compared to countries such as India.

To the extent that legitimate Government access remains a problem, the existence of less intrusive measures that could achieve the same ends needs to be explored. For instance, the Telecom Regulatory Authority of India had noted in its cloud computing recommendations that India should try and sign more MLATs and more holistic ones, which could also include mechanisms for electronic processing of requests. The private sector could also be encouraged to adopt electronic reporting mechanisms for government requests. For instance, reports suggest that Apple is already working on such a platform. At the same time, more work needs to be done on identifying the specific problems being faced by law enforcement or other agencies in accessing any specific types of data; the responsible stakeholders and targeted interventions that may be adopted. Where necessary, such measures may include limited localisation. This may, for instance, mean requiring specific categories of providers to keep a copy of the data within the country, if it can be clearly demonstrated that immediate and on-demand access to specific types of data is necessary for the discharge of specific state functions and the same cannot be achieved through other less intrusive means.

Economic perspective

The third set of arguments one sees in the context of localisation relate to issues of the Internet economy and costs of localisation measures. We consider three issues in this context: first, the macro and micro economic costs of localisation; second, the effects on the local economy in terms of inviting reciprocal measures, boosting competition in the sector or aiding local manufacturing or AI industries; and finally, we examine how localisation related measures are increasingly becoming a part of the international trade discourse.

Costs and impacts on the economy: One of the main arguments against mandatory localisation stems from the cost that it is likely to impose on businesses and consequently, consumers and the economy as a whole. Widespread localisation norms will mean that businesses and other users -- both domestic and foreign -- will no longer have the flexibility to choose the most cost-effective or task-specific location to store their data. In addition to reducing the benefits made possible through economies of scale, companies will also need to duplicate infrastructure in multiple jurisdictions. The global nature of the Internet has also enabled numerous cross-jurisdictional services, platforms and functions - ranging from high-end cloud based services to detection of fraud in credit card systems using cross-jurisdictional data. These costs / efficiency losses will ultimately be passed onto consumers in the form of higher costs of service or reduced functionality.

While several sources refer to the cost implications of localisation, there are only a handful of studies that actually attempt to quantify the potential economic gains or losses. The most oft quoted (though not uncontested) study on this subject has been released by the European Centre for International Political Economy. This predicts a reduction of the Indian GDP by almost a percentage point should broad localisation measures be introduced (Bauer et all, 2014). The authors note that any gains stemming from data localisation are too small to outweigh losses in terms of welfare and output in the general economy. Another study points to how forced data localisation laws would require companies to pay 30-60 percent more for their computing needs (Leviathan, 2015). Two newer studies however demonstrate that while restrictions on cross border data flows inhibit trade and services, policies targeting the uses of data, which include measures ranging from data retention requirements to government access and data breach notification norms, have a much larger negative impact on productivity (Ferracane and van der Marel, 2018; Ferracane, van der Marel & Kren, 2018)

Looking at the digital ecosystem in India, it appears that the costs imposed by broad localisation measures would be non-trivial, given the underdeveloped state of India's data center infrastructure. A part of this is due to the costs involved in building large data centres, the absence of proper downstream infrastructure such as uninterrupted power supply as well as weather conditions in India which necessitate greater expenditure on cooling. Notably, a Gartner study in 2015 found that India held just about 1.2 percent of the world's data center infrastructure and 5.23 percent in the Asia-Pacific region (IAMAI, 2016). Taking into account factors like energy cost, international bandwidth, ease of doing business and taxation provisions, the Cushman and Wakefiled (2016), Data Center Risk Index score placed India at thirty sixth position, with a score of 47.84 (out of a highest score of 100). Essentially, present conditions make it uneconomical and inefficient to host large quantities of data in India. The now abandoned report of the draft e-Commerce Task Force (2018), also acknowledged this fact. It highlighted the need for capacity development in terms of infrastructure for data centres, improvements in power supply and tax benefits before mandating full data localisation.

Effects on the domestic industry: While it is often claimed that localisation could provide a boost to local manufacturing and employment, this is contestable on the grounds that most equipment in data centres is imported and in any event, not much employment is generated by data centers. For instance, a $1 billion data center built by Apple in North Carolina, United States in 2011, created only 50 full-time jobs and another 250 support jobs in areas such as security and maintenance (Cory, 2017).

It is also unclear how localisation measures could act to aid competition (or reduce the reach of large dominant players) in the digital economy. Bigger companies are generally better placed to respond to and meet regulatory requirements. It is therefore possible that while the bigger companies can easily afford to set up data centers in India, smaller firms (whether Indian or foreign) may face relatively higher entry barriers on account of increased costs, thereby hampering competition in some sectors.

Another powerful narrative that has emerged in recent times is about the need for domestic mechanisms for the creation, sharing and use of data for the development of artificial intelligence (AI) development. To quote from the Justice Srikrishna Committee's report, "The growth of AI is heavily dependent on harnessing data, which underscores the relevance of policies that would ensure the processing of data within the country using local infrastructure built for that purpose". In this respect, it is not very clear how merely locating data in India will make it accessible for beneficial research, in the public or private domains.

One must also be aware of the possibility of retaliatory measures and the effects this could have on the vital information technology (IT) and related sectors. The IT sector contributed about 7.9 percent of India's GDP in the year 2017-18 (MeITY, 2018) and a sizeable part of export of India's IT services sector comes from the outsourcing / business process management industry (IBEF, 2018). Therefore, India's role in furthering a global push towards increased data localisation needs to be considered carefully, taking into account the likely consequences of reciprocal localisation measures by other countries.

Free trade agreements (FTAs): The growing importance of global e-commerce has placed data localisation debates at the heart of many international trade discussions. The US, in particular, has been at the forefront of pushing for the removal of various kinds of restraints on cross-border trade carried out through electronic means. Despite attempts by the US and other countries like Canada and Japan, the e-commerce conversation at the World Trade Organization (WTO) level is limited to discussions and has not achieved a rule-making mandate (Macleod, 2015). Many developing countries, including India, have resisted a broadening on this mandate. Many researchers also oppose this sort of "mission creep" at the WTO on the ground that it would require developing countries to sign away their right to strategically regulate the digital market and data flows (Gurumurthy and Chami, 2017).

While the global e-commerce discussions under the WTO have not managed to progress, provisions relating to cross-border trade and localisation of data have found their way into other multilateral arrangements. Prominent among these are the recently signed Comprehensive and Progressive Agreement for Trans-Pacific Partnership and the recently signed US-Mexico-Canada Free Trade Agreement. These arrangements contain fairly strong measures to support the free flows of data across borders.

The position adopted by those who seek to include data flow related issues in trade agreements appears to be based on the notion that personal data must be treated as any other commodity. Accordingly, free flows of data must be the de facto
position unless justified by overwhelming public policy concerns. What constitutes a legitimate public policy concern would be adjudicated at the international level, under the WTO framework (Hill, 2017). However, this approach has been challenged on three grounds. The first is a rights-based argument that sees personal data as being essential to a person's autonomy and identity, and therefore more than a tradeable commodity. Second, is the fact that commercial exploitation and trade in commodities of various kinds are in any case subject to various kinds of regulation or taxes. Third, is the concern that the use of WTO mechanisms for handling data flows would reduce democratic control over data (Hill, 2017).

Ultimately, irrespective of whether one considers trade negotiations to be an appropriate location to discuss cross-border data flows, a global resolution of the issue appears unlikely unless the rights based, economic and strategic concerns of developing nations are duly accounted for. The concern, however, remains that despite the absence of an agreement at the WTO level, widely worded data flow restrictions have already found their way into a number of bilateral and multilateral trade agreements.

Conclusions

The paper examines the key arguments that are generally used to make a case for data localisation under three heads. First, there is the claim that local hosting of data will enhance its privacy and security by ensuring that an adequate level of protection is given to the data. Second, it is argued that lack of government access to data (due to it being stored in another jurisdiction) impedes the law enforcement and regulatory functions of the state, which can be addressed through localisation. Third, there is the narrative on the economic benefits that will accrue to the domestic industry in terms of creating local data infrastructure, employment, and contributions to the AI ecosystem.

Following an assessment of each of these perspectives we find that the costs of introducing broad and sweeping data localisation norms are likely to outweigh its benefits, from a rights-based perspective as well as an economic one. India's approach to this question must also be informed by strategic thinking on whether a closed data economy or an open one would be more conducive to meeting its long-term social and economic goals.

However, this is not to suggest that data localisation can never qualify as a justified measure. There may indeed by circumstances where local storage (and even processing) of the data can be justified, particularly on certain normative grounds. In order to identify such instances and arrive at a narrowly tailored response, the policymaking process should ensure that any measures are adopted only pursuant to a well-defined and transparent evaluation process. The steps in this process would include (i) articulation of the specific problem(s) that are sought to be addressed: (ii) identification of the range of measures that could be used to combat the problem and assessment of the expected costs and benefits of each intervention; and (iii) evaluation of whether localisation is the least restrictive means to address the problem, with a graded approach of considering the least intrusive form of localisation before proceeding to stricter requirements. Importantly, this entire process should be carried out in an open and transparent manner allowing stakeholders the opportunity to question and strengthen the analysis.

References

Bauer et al, 2014: Matthias Bauer, Hosuk Lee-Makiyama, Erik van der Marel and Bert Verschelde, The costs of data localisation: Friendly Fire on Economic Recovery, ECIPE Occasional Paper, No. 3/2014.

Cory, 2017: Nigel Cory, Cross Border Data Flows: Where Are the Barriers and What Do They Cost?, Information Technology and Innovation Foundation, May 2017.

Chander & Le, 2015: A Chander and UP Le, Data nationalism, Emory Law Journal, 64(3).

Ferracane, 2017: MF Ferracane, Restrictions on cross-border data flows: a taxonomy, European Centre for International Political Economy.

Ferracane, Lee-Makiyama & de Marel, 2018: MF Ferracane, H Lee-Makiyami and EV der Marel, Digital trade restrictiveness index, European Centre for International Political Economy.

Goldsmith and Wu, 2006: J Goldsmith and Tim Wu, Who controls the internet: Illusions of a borderless world, Oxford University Press.

Baeur, 2016: M Bauer, MF Ferracane, E van der Marel & B Verschelde, Tracing the conomic impact of regulations on the free flow of data and data localisation, Centre for International Governance Innovation and Chatham House.

Gurumurthy and Chami, 2017: A Gurumurthy & AVN Chami, The grand myth of cross border data flows in trade deals, IT for Change.

Leviathan, 2015: Leviathan, Quantifying the costs of forced localisation, Leviathan Security Group.

IAMAI, 2016: Internet and Mobile Association of India, Make in India: Conducive policy and regulatory environment to incentivise data center infrastructure.

Ferracane & van der Marel, 2018: MF Ferracane & E van der Marel, Do data policy restrictions inhibit trade in services?, European Centre for International Political Economy.

Ferracane, van der Marel & 2018: MF Ferracane, E van der Marel & J Kren, Do data policy restrictions impact the productivity performance of firms and industries?, European Centre for International Political Economy.

IBEF, 2018: India Brand Equity Foundation, IT & ITeS Industry in India.

Macleod, 2015: J Macleod, E-commerce and the WTO: A developmental agenda, GEG Africa.

Hill, 2017: R Hill, Second contribution to the June-September 2017 Open Consultation of the ITU CWG-internet, why should data flow freely?, Association for Proper Internet Governance.

MeITY, 2018: Software and services sector, Ministry of Electronics and Information Technology.

Srikrishna Committee, 2018: Report of the Committee of Experts under the Chairmanship of Justice BN Srikrishna, A free and fair digital economy: Protecting privacy, empowering Indians.

Ecommerce task force, 2018: Electronic commerce in India: Draft national policy framework (non-official version), Medianama.

Cushman and Wakefield, 2016:Data center risk index, Cushman and Wakefield.

 

The authors are technology policy researchers at the National Institute of Public Finance & Policy. They thank Ajay Shah for valuable discussions.

No comments:

Post a Comment

Please note: Comments are moderated. Only civilised conversation is permitted on this blog. Criticism is perfectly okay; uncivilised language is not. We delete any comment which is spam, has personal attacks against anyone, or uses foul language. We delete any comment which does not contribute to the intellectual discussion about the blog article in question.

LaTeX mathematics works. This means that if you want to say $10 you have to say \$10.