Comments
The Justice Srikrishna Committee Report and the Personal Data Protection Bill, 2018 (Data Protection Bill) has proposed: (i) all personal data to which the law applies must have at least one serving copy stored in India; (ii) personal data critical to national interest must be stored and processed only in India; and (iii) the Centre will have the power to exempt transfers on the basis of strategic or practical considerations.
This requirement to mandatorily localise data within the country (data localisation) is expected to improve security and technology within India. The Report has put forth four arguments in favour of data localisation.
1. It states that a requirement to store personal data locally would boost law enforcement agencies’ efforts to access information required for the detection of crime as well as in gathering evidence for prosecution. For law enforcement agencies, accessing information within their jurisdiction is easier than requesting data from foreign entities based abroad.
Ironically, data localisation does not deflate the threat to data security. For example, cloud takes advantage of economies of scale and a seamless, global internet to draw on the infrastructural architecture across the world. Thus, when there is a threat presumed in one part of the world the algorithm moves the data seamlessly onto the infrastructure of another location and sometimes even to multiple locations. This allows the service providers to adopt several data security measures all the while passing a cost advantage to customers. But by splintering the internet the data security measures are weakened.
Another point is — does requiring the location of a data centre to be within India automatically allow jurisdiction over the data within the data centre? Access to data depends on who has custody, control and possession of the actual data, and that may not necessarily be with the entity that provides the local hosting facility.
2. The Report proposes that data localisation will help avoid the vulnerabilities of relying on fibre optic cable network. The Cyber Security Report 2017 released by Telstra reported that businesses in India were most at risk to cyber security attacks. Organisations in India experienced the highest number of weekly security incidents of all Asian countries surveyed. Thus, a mandatory border control provision may not be the solution to avoiding security breach incidents. Instead, insisting on superior encryption and adoption of robust security measures will pave a better path to the data security destination.
3. The Report also recommends data localisation for prevention of foreign surveillance of critical personal data. Several reports allege that foreign governments use sophisticated malware to spy on our country. This means that forcing the storage of data within the country’s boundaries may not offer it any better or more protection. It is crucial that the data protection law mandates robust security measures that are at par with global industry standards, instead of locking data under its key.
4. Finally, the Report argues in favour of data localisation on the back of the economic benefits that will be derived. However, studies conducted by several reputed institutions suggest that the costs of effecting the data localisation requirements are prohibitive.
Therefore, this question will do well to be substantiated with a more India-centric report.
The writer is Partner, IndusLaw.
Comments
COMMENT NOW
Comments
Comments have to be in English, and in full sentences. They cannot be abusive or personal. Please abide by our community guidelines for posting your comments.
We have migrated to a new commenting platform. If you are already a registered user of TheHindu Businessline and logged in, you may continue to engage with our articles. If you do not have an account please register and login to post comments. Users can access their older comments by logging into their accounts on Vuukle.