Softening Data Localization

April 29, 2019 | by Srivats Shankar
The official logo for the Reserve Bank of India
It is time to get serious about law enforcement and technology – but is data localization really the answer

Data localization has been a hot topic in India for the last several months. With Mark Zuckerberg’s recent statements pertaining to data localization and countries with “weak rules of law”, there is no doubt that this is a matter of concern for all stakeholders. For the companies that are subject to these regulations, it is a matter of ease of business, excessive regulatory scrutiny, and the cost of compliance. On the other hand, for regulators it enhances the ease of administrative compliance and enforcing warrants. While these competing interests exist, end-users are often stuck in the crossfire. There is no doubt that if regulators have better access to data it could potentially mean protecting their interests and privacy. On the other hand, the quality of service and state paternalism are no doubt matters of serious concern.

Recently, that has been extensive debate relating to data localization. In India the most significant discussion of this was in reference to  the Sri Krishna Committee Report, which discussed the development of a Data Protection Framework. According to the committee, data localization did have its merits in relation to enforcement and access of information. However, at the same time in their own words they noted that it is not possible to have a “one-size-fits-all” solution for this problem. Currently, India has been wrangling with the issue and the Reserve Bank of India (RBI) has as of April 2018 decided to take action along these principles.

By virtue of a notification RBI mandated that system providers subject to their jurisdiction currently do not store data within India. In pursuance of their powers under the Payment and Settlement Systems Act, 2007, they decided to mandate the localization of all system providers, for better monitoring and enforcement. This notification was even applicable on all intermediaries involved in such systems.

Service providers were in effect put in a stranglehold that placed an obligation on them to move all financial data immediately. However, the RBI has remained steadfast in its commitment to ensure compliance with its notification. This was naturally met with criticism from corporations and states.

The US Senate caucus for India took up this point. Senators John Cornyn and Mark Warner had recommended that regulators take a lighter approach towards data localization. According to them, the immediate measures proposed by the RBI would hamper free flow of data across borders. This was largely due to lobbying measures adopted by corporation with a significant presence within the USA. However, specifics were limited in this letter.

The EU in a letter submitted to the Ministry of Electronics and Information Technology offered some suggestions on how alternatives to data localization can come about and operate. With regard to data localization they offered a recommendation based on the General Data Protection Regulations 2016 and the US CLOUD (Clarifying Lawful Overseas Use of Data) Act 2018. The main focus of the point was law-enforcement gaining access to data. They stated that irrespective of where the data was located, by virtue of a legislation it could be established that access to data can happen no matter the circumstances. This would of course be subject to the regular procedure of law. However, it stands as an opposite to the existing standards. Additionally, having a controller located within India, who would be responsible for ensuring access to data and compliance with the law would be a desirable change over data localization.

Currently, India has not faced any significant denial of data. By considering monetary penalties, and contemplating the possibility of limiting access to law enforcement additional statutory deterrence mechanisms can be established. Requiring jurisdiction to access data will continue to remain an ongoing issue, one that requires serious contemplation.

The concerns of law enforcement and the RBI to implement data localization are by no means insignificant. However, there clearly are mechanisms to improve the overall efficacy of the system. As time passes the state should consider long-term implementation of regulatory requirements that would be easier to comply with, yet at the same time remain efficacious.