Reports suggest that cross-border data flows contributed $2.8 trillion to the global economy in 2014, which is expected to touch $11 trillion by 2025. Data has often been referred to as the new oil, an economic resource, that is fuelling the fourth industrial revolution.

However, many governments have been inclined towards restricting cross-border data flow and mandating localisation of certain data. It remains to be seen whether curbs on cross-border data flows will lead to the anticipated enhancement of data privacy, sovereignty and security, or are we merely heading towards a Walled Wide Web without meeting these objectives.

Like in many other countries, the political narrative in India also seems to be tilting towards data localisation. This may be gauged from recent developments in the regulatory and policy frameworks on data governance, which may compel companies to set up their data centres within Indian shores.

Policy goals

Goals set in the Draft National Digital Communications Policy 2018, along with various government notifications and guidelines such as Reserve Bank of India’s notification on Payment Data Storage 2018, and the Guidelines for Government Departments for Contractual Terms related to Cloud Storage 2017, show signs of data localisation.

The rationale behind such mandates has been attributed to various factors, such as: securing citizen’s data, data privacy, data sovereignty, national security, and economic development of the country. The extensive data collection by technology companies, due to their unfettered access and control of user data, has allowed them to freely process and monetise Indian users’ data outside the country.

This has raised data protection and privacy concerns. Furthermore, the advent of cloud computing raises important questions on accountability of service providers who store Indian users’ data outside of the country’s boundaries, leading to a conflict of jurisdiction in case of any dispute.

Also, minimal or deregulated governance on critical data, due to absence of localisation requirements, could be detrimental to India’s national security as data would be outside the purview of existing data protection legislation. The ineffectiveness of Mutual Legal Assistance Treaties (MLATs) in this realm aggravates such government fears.

In addition to these, India also aspires to become a global hub for, among others, cloud computing, data hosting and international data centres, all of which are prompting the government to enact data localisation requirements for accelerating the nation’s economic growth, especially in the sphere of digital technologies.

Though these policy goals are justifiable, a deeper analysis is required to determine the possible adverse spill-over effects on relevant stakeholders in case a faulty roadmap is adopted to achieve them.

Adequate attention needs to be given to the interests of India’s Information Technology Enabled Services (ITeS) and Business Process Outsourcing (BPO) industries, which are thriving on cross-border data flow.

The possible rise in prices or unavailability of foreign cloud computing services in case of a data localisation mandate, and its impact on medium small and micro enterprises (MSMEs) as well as start-ups relying on these services must also be counted for.

Domestic and foreign businesses engaged in developing data driven new age technologies such as Internet of Things and Artificial Intelligence may also find it hard to comply with data localisation requirements.

Holistic analysis

Another area of caution for policy-makers is to prepare adequate ground through holistic analysis, before mandating data localisation, especially on devising an optimal regulatory and legislative framework for data processors and data centres operating in the country.

Adequate infrastructure in terms of energy, real estate, and internet connectivity also needs to be made available for India to become a global hub for data centres. Promoting confidence in users without sacrificing expectations of privacy, security, and safety must also be worked upon.

With the BN Srikrishna Committee’s ‘Recommendations on the data protection legislation’, and the Telecom Regulatory Authority’s ‘Principles on data ownership, security and privacy’ expected soon, the emerging trend of cross-border data flow restrictions becomes worrisome.

While the government’s policy goals are certainly having the right intention, adoption of the age-old route of protectionism for their realisation may not be appropriate. Formulating policies that create boulders in cross-border data flows should not be promulgated unless backed by adequate and inclusive research on its multi-faceted impact on relevant stakeholders.

Also, the possibility of triggering a vicious cycle of data localisation requirements by other countries as a response to India’s possible data localisation mandate will be detrimental for the global data economy.

Governance of cross-border data flows is just about beginning and it must be nipped in the bud. Else, as Evgeny Morozov, researcher and writer on digital technology, says: “Information technology, which has been one of the leading drivers of globalisation, becomes one of its major victims.”

Enhanced cooperation between all stakeholders in the global arena, through prolific debates, may pave the way ahead for deciding the fate of cross-border data flows, without compromising on data privacy, security and sovereignty.

This writer is Senior Research Associate, CUTS International.