NIPFP: Data localisation norms are too broad, don't address key issues

Mandatory nature of localisation within specific regions ups risks of security breaches and data misuse; lack of strong protection regime may lower data protection and efficacy of payments ecosystem

A recent paper by the National Institute of Public Finance and Policy, an autonomous government research institute, has come down heavily on the data localisation norms introduced by the Reserve Bank of India (RBI) earlier this year. The report notes that the guidelines are too broad and does not address specific problems due to an inadequate understanding by regulators of the complex nature of technology operations by financial and tech firms worldwide.  

On 6 April the RBI issued a directive for all players in payments and settlement ecosystem to comply with new rules concerning the storage and processing of data. It also extends to intermediaries and third party vendors contracted to handle data on behalf of payment operators.

Between 1961 and 2016, as many as 84 data localisation requirements were introduced in the 64 countries. Most introduced conditions to be fulfilled before the transfer of data, while 25 per cent imposed local storage but not on processing and 33 per cent imposed a ‘closed’ model, similar to the RBI’s directive.

Some have argued that the policy was brought in with haste and no consultation, and only on three occasions prior did the central bank indicate its intervention with such a policy direction

“Absent a transparent regulation making process we have no way of knowing the different options that were considered by the regulator, or the factors that motivated the selection of this particular option,” state the authors’ Rishab Bailey and Smriti Parsheera, technology policy researchers at the NIPFP.

The research paper examines three implication of the policy for data localisation on civil liberties, state power and economic rationale behind such a policy.

On the privacy front there are two fundamental aspects that the data localisation norms have to be in cooperation with. The first is the Puttuswamy Judgment (privacy verdict by Supreme Court) and the second is the draft Personal Data Protection Bill of 2018.

There are some exceptions to cross-border flows in the RBI directive, and for in the draft Personal Data Protection Bill for the government to provide exemptions for particular countries, sectors or international organisations from the strict guidelines.

“Current laws and policies already provide for full data localisation in so far as government records and publicly funded data from government sources is concerned,” note the authors.

Firstly, the mandatory nature of data localisation within specific geographies increases the likelihood of security breaches and misuse of data. While the authors state that hackers often target ‘large players’ because of the volume of sensitive information they store, cyber-security experts, have said that hackers target whoever is most vulnerable and has inadequate security controls, be it a small or large firm.

Secondly, the privacy framework under the Information Technology act is “woefully inadequate, in terms of substantive protections, remedies and implementation,” therefore, “putting in place sweeping data localisation requirements without a commensurate and strong data protection regime could act to lower,” data protection and the efficacy of the payments ecosystem.

There is the ability of the state to restrict access to content hosted locally, especially by smaller players, in pursuit of political and ideological objectives.

Further, misuse of state power in recent times by imposing internet shutdowns, 95 as of August 2018, across towns and cities in the country is a clear indication of how the broad data localisation ‘requirements may indeed harm the expression rights of citizens,’ states the report.

While domestic payments companies said that they are ready to comply with the directive by 15 October, global firms like Visa and Mastercard stated their intent to comply with the RBI’s directive but required more time.

The complexities of the data operations for some of these companies needs to be understood, say experts. For instance a card-issuing company may process and analyse all middle-income earners’ credit card transactions conducted globally at one data centre in Europe, while another data centre in Europe would process a specific data for an entirely different purpose.

As a result “businesses will have to redesign their systems, bear the cost of higher data storage charges and face the challenge of storing their data in a relatively less secure environment, the costs of which will ultimately trickle down to their users.”

There are two sides to the economic argument for data localisation.

The first deals with the fact that the internet, as the mass public knows it, is essentially restrictive and exhibits aspects of a closed-market where a few dominant global players like Google, Amazon or Facebook collect, process, analyse and act on million tera-bytes of users’ data every single day.

Indian authorities, the paper says, have pointed out non-compliance and uncooperative behaviour on the part of these firms and the data localisation policy is a measure to make such companies ‘toe the line’. However, as Google’s Transparency report notes some of these requests from state entities violate Google’s own privacy policies and are woefully vague and arbitrary.

Ultimately the question is about consent, control and accountability, states the report.

The other argument in terms of the economic need for data localization is the issue of taxation.

Several domestic players, through industry associations and lobby groups particularly those entangled in the payments-Aadhaar related ecosystem, are pushing for the data localization policy as “foreign companies to exploit local market data without paying fair taxes.”

By mandating that local servers be hosted in the local country there would be an established ‘fixed place of business’ and hence a liability to pay tax.

But the papers’ authors question this thinking stating that India has introduced the notion of ‘significant economic presence’ in the Income Tax Act through the Finance Act of 2018, which establishes the existence of ‘fixed place of business’.

 “Widespread localisation norms will mean that businesses and other users – both domestic and foreign – will no longer have the flexibility to choose the most cost-effective or task-specific location to store their data. These efficiency losses will ultimately be passed onto consumers in the form of higher costs of service,” state the authors.

Further the broad localisation will impact the way global businesses function and could affect India’s software and start-up world with larger implications for its economic interests.

Even arguments that data localisation will boost the domestic hardware industry and generate employment are exaggerated, say the authors, given that the bulk of the capital (technology) equipment is imported and barring the employment of construction workers to build a data centre, for example, the utility of labour as compared to the costs of data centres is meagre.

For example a $1 billion data center built by Apple in North Carolina in 2011 created only 50 full-time jobs and another 250 support jobs in areas such as security and maintenance.

If the guidelines are implemented in full, as it stands today, global players are better positioned to spend than local-smaller players and as a result they will have strengthened their dominance across sectors in the domestic market. While ‘sharding’ of databases, a method of effective and efficient data sharing, processing performance and protection, will be restricted to certain degrees.

There are also multilateral trade agreements, one promoted by the World Trade Organisation for instance, that are seeking to create a global data-sharing policy at the same time as countries are looking to protectionist solutions.

“India must also resist the pressure to enter into bilateral or multilateral trade agreements that constrain its ability to take future decisions on data localisation…India’s position on data localisation must ultimately be weighed against the government’s … the need for strategic thinking on whether a closed data economy or an open one would be more conducive…,” say the authors.

In conclusion, the data localization norms are too broad, have large cost implications and are based on contradictory arguments provided by industry executives and regulatory or government authorities.

The reports’ authors say the RBI and government should address specific contentious data storage and processing issues and not implement a wide-ranging policy that will have implications that undermine the very stated goals that the policy seeks to achieve.