India’s data localisation policies have hidden objective and this is affecting its growth: Study

Although the study focused on data localisation policies worldwide, India found several mentions in the context of data sovereignty and data localisation for censorship and surveillance. 

Countries such as India which have adopted data localisation policies — policies that restrict the flow of data from one country — are hampering the source country’s trade, productivity, and increasing prices for affected industries, claimed a research study by US-based non-profit Information Technology and Innovation Foundation (ITIF).

In the research, ITIF found out that a 1-point increase in a country’s data restrictiveness cut its gross trade output by 7 percent, slows its productivity by 2.9 percent, and hikes downstream prices 1.5 percent over five years.

The study “How Barriers to Cross-Border Data Flows Are Spreading Globally, What They Cost, and How to Address Them” specifically criticises India, China, and many European countries which have enforced data localisation policies that “discriminate” against firms.

Overall, the study criticises the various reasonings given by policymakers in each country for adopting data localisation measures. At one point, the study says —

“Nearly all data localization proposals involve mixed motivations. Policymakers often take a “dual-use” approach with an official and seemingly legitimate objective, such as data privacy or cybersecurity, when their primary (hidden) motivation is protectionism, national security, greater control over the Internet, or some combination of these. In some cases, such as India, they use all of them. A telltale sign of hidden motivations is a lack of evidence, transparency, debate, and engagement around a data localization proposal.”

We rarely think twice about what happens to our personal and financial information when we use a streaming website or create an account on an e-commerce portal. The majority of such information is stored outside the country. As a result, over the last few years, India has laid down stringent data localisation measures for the storage of payment data and proposed similar measures in the draft Personal Data Protection Bill and proposed amendments to e-commerce rules. However, these policies have a potential adversarial effect on organisations as they would have to spend huge amounts of money to set up local servers, apart from other infrastructure costs.

What does the report say about India?

Pushing restrictions deeper into technical regulations: “More policymakers (such as in France, India, and South Korea) are being creative in using arbitrary and opaque licensing, certification, and other regulatory restrictions to indirectly require data localization (and exclude foreign firms and products). These policymakers seek to avoid scrutiny from trading partners by pushing restrictions deeper into technical and administrative regulations,” the report said.

India’s data localisation measures have hidden objective: In the section where the study states the five rationales given by nations for data localisation, it also adds that India’s policymakers have a hidden objective when it comes to enforcing data localisation. “Policymakers often take a “dual-use” approach with an official and seemingly legitimate objective, such as data privacy or cybersecurity, when their primary (hidden) motivation is protectionism, national security, greater control over the Internet, or some combination of these. In some cases, such as India, they use all of them,” the study said.

Content takedown requests: India also finds a mention in the “data localisation for censorship and surveillance’ segment of the study which argues that some countries use data localisation policies as a “cudgel to force foreign firms to provide easier access to data for surveillance and political purposes and force compliance with censorship requirements”. In this regard, the study said, “..countries, such as India, enact short deadlines for firms to respond to content takedown requests that create a de facto localisation requirement. Firms have to do this; otherwise, they would not be able to comply (and thus avoid fines and other legal consequences).”

Review legal frameworks to enable efficient cross-border access: The study said that India and Indonesia should review and reform domestic legal frameworks to enable more efficient cross-border access to data. “For example, the EU’s “e-evidence” proposal streamlines cooperation between service providers and law enforcement in the bloc.84 Central to this effort would be a working group with diverse stakeholders, including representatives from different government departments, the private sector, civil society organizations, researchers, and experts in international law to formulate reforms and model data transfer agreements,” the study said.

“Reasons given by countries for restricting data are vague”

In the study, the researchers opine that there are three main kinds of data localisation —

• Governments restrict transfer of particular types of data: The study said that some countries restrict the transfer of personal data such as health and genomic data, mapping and geospatial data, and so on. They also restrict the transfer of internal company data of publicly listed companies and data related to user-generated content.
• Vague categories: “Second, countries are increasingly restricting data in broad and vague categories involving data deemed “sensitive,” “important,” “core,” or related to national security, which often impacts a wide range of commercial data,” the study said.
• De facto localisation: The study highlighted the European Union’s General Data Protection Regime (GDPR) and said that rules such as these have made data transfers complicated, costly, and uncertain. As a result, firms have no other option but to store data locally especially in face of massive fines.

Rationalisations given for data localisation

The study says that behind almost all data localisation policies, there are ‘mixed motivations’.

Misguided data privacy, protection, and cybersecurity: The security of data does not depend on where it is stored, the study said while arguing that data protection policies, which include data localisation frameworks, that many countries adopt are misguided.

Data sovereignty: The study said that policymakers in various countries portray data sovereignty as a concept that helps countries “take back control” and “sovereignty” from foreign technology firms and trading partners. “Misconceptions about data and cybersovereignty miss the point that a complex interplay of economic, governance, social, and political factors determines a country’s position on digital issues. Policymakers deliberately—and deceptively—use these concepts to condense complex phenomena into catchy phrases,” the study said.

Data localisation for censorship and surveillance: The study said that many countries use data localisation to force foreign firms to provide easier access to data for surveillance and political purposes and force compliance with censorship requirements. “Digital authoritarian governments—led by China and Russia—see physical access to data centers as a critical enabler of surveillance and political control,” it said.

Data localisation for law enforcement and regulatory oversight: The study said that some countries use law enforcement and regulatory concerns about cross-border access to data, to justify data localisation. This, the study said, is borne out of a mistaken belief that that firms can avoid oversight and requests for data by simply transferring data out of a country.

Recommendations for policymakers

Global data governance: The study said that policymakers should provide multiple mechanisms to transfer personal data, “encourage firms to improve consumer trust through greater transparency about how they manage data, support the development of global data-related standards, and provide more assistance to developing countries to help with digital economy policy”.

Digital free trade: It urged policymakers to support rules that protect data flows, prohibit data localisation and create new tools to enact retaliatory measures against countries that enact data localisation and other digital protectionist rules.

ITIF also gave specific recommendations such as —

• Countries should pursue new digital economy agreements and mechanisms for cooperation, such as those negotiated by Australia, Chile, New Zealand, and Singapore.
• The Asia-Pacific Economic Cooperation (APEC) Cross-Border Privacy Rules (CBPR) should be made a global model for data governance by opening it up to non-APEC members.
• A “Geneva Convention for Data” should to be established with common principles, processes, and safeguards to govern government access data.
• Develop a targetted strategy to support the adoption of financial oversight frameworks that focus on regulatory access to data rather than the location of data storage.
• Improve existing, and build new, mechanisms to improve cross-border requests for data related to law enforcement investigations.

Also read

• Personal Data Protection Bill, 2019: Considering data localisation and its effects on payments
• How a Biden administration may impact tech policy in India

Have something to add? Post your comment and gift someone a MediaNama subscription.