A. Introduction: Data localization is neither a new topic nor an under-argued one. The world stage has been lit with debates on this topic for quite some time now1. In 2013 when Edward Snowden, a former contractor with CIA, leaked to the media details of extensive internet and phone surveillance by American intelligence agency, establishing border control provisions on the internet gained an impetus2. China, Russia, Australia, Canada and several other countries have already adopted data localization provisions. In fact, Russia has already set an example of enforcement of its 'data border control' provisions against LinkedIn3 in 2016, and last year4 the Russian Data Protection Authority, Roskomnadzor, published its 2018 plans for conducting inspections of local companies' compliance with Russian privacy requirements including data localization requirement.
The recent report issued by the Committee of Experts under the Chairmanship of Justice B. N. Srikrishna5 ("Committee Report") and the Personal Data Protection Bill, 20186 ("Data Protection Bill") have set the topic sizzling in India again. The Data Protection Bill presently proposes (i) all personal data to which the law applies must have at least one serving copy stored in India, (ii) in respect of certain categories of personal data that are critical to the nation's interests, a mandate is intended to be made to store and process such personal data only in India such that no transfer abroad is permitted, and (iii) the Central Government will be vested with the power to exempt transfers on the basis of strategic or practical considerations.7
This article seeks to understand the various arguments extended by the proponents and opponents of 'data localization' with the aim to understand the implications of the provisions on restrictions on cross-border transfer of personal data proposed under the Data Protection Bill.
B. But first let's understand the technology: Internet is a fabric which weaves data across the world through an intricate network of codes, servers and processes. The core feature being 'seamless access', i.e., movement of data without restrictions and barriers. All web-based businesses like cloud computing8, the Internet of Things (IoT) and big data analytics, apart from the traditional storage, email and social networks, rely9 on the limitless supply of borderless, ubiquitous and on-demand network access. To manage data integrity, data security and speed, service providers use several processes for retrieving and sending data – including storing data in edge cache across borders or on shards10, replicating data for load balancing and storing data in multiple locations across the world to prevent data failure.
Dillion Reisman in his blog 'Where is your data, Really?: The Technical Case Against Data Localization'11 explains the principles driving web development as: "One of the main pillars of web architecture is performance: applications need to get data to users as fast as is reasonably possible. One way to accomplish this is to keep a copy of select chunks of data in "edge caches." Caches place the most in-demand content as close as possible to the end users who will want it, shortening the trip data has to take across the network. The cache network can strategically choose what data to include in cache based on changing demand and other factors. Thus, the expense of storing all data can be moved to a more centralized location while cheaper machines (possibly in different countries) can more quickly distribute data to their locale......Another principle driving the development web services is efficiency: there should be no wasted resources. To make more efficient use of their servers, a web service might replicate user data across multiple data centers in different regions. If one region sees more user activity and has trouble meeting demand, the network might instead route some user activity to a service's replica in a different region...... A web service can save crucial resources by processing data in batches on a set schedule. These operations don't necessarily need to have the same redundancy as other, more user-visible processes, so data can be copied to one single location that is responsible for all of the expensive work. That location might be any one of the data centers that the service operates around the world."
The common thread between all these processes is the ability of a service provider to rely on infrastructure across the world seamlessly. This allows service providers to scale as per user's requirement at a fraction of the actual cost which benefit is passed to the user. Thus, the pricing of web-services is intrinsically linked to the ability to use multiple servers and networks efficiently and strategically.
C. What is Data Localization? Due to the transient and pervasive nature of data on the internet, its security is constantly threatened and indeed been breached at several instances. Data localization is a measure adopted to give countries increased control over the data belonging to their citizens and residents in the interest of enforcing data protection regime set by the country and to secure the critical interests of the nation state. This is achieved by encumbering the transfer of data across national borders – including through rules preventing transmission of data outside the country, requiring a copy of the data to be stored within the country or tax on export of data, and enforcing applicable laws of the country vis-à-vis data security.12
D. The raging debate: Summarized below are the popular arguments on the topic:
|S. No.||Arguments for Data Localization in the Committee Report13||Arguments against Data Localization|
|1.||Enforcement by local
law agencies: A requirement to store personal data locally
would boost law enforcement agencies' efforts to access
information required for the detection of crime as well as in
gathering evidence for prosecution. This is because it would be
easier for law enforcement agencies to access information within
their jurisdiction as compared to waiting for responses to requests
made to foreign entities which store data abroad.
The Committee Report makes a disclaimer to the above argument that keeping server locally will not lead to a perfect compliance since despite being located physically in India, a conflict law question may arise if the country of the concerned entity's registration or any other country with which the entity or the claim is substantially connected, also asserts jurisdiction. However, the Committee Report clarifies that if personal data is within the India then the possibility of a foreign entity refusing access to such data would be reduced.
|Safety of the
data14: The irony of the enforcement argument is
that restricting service providers to use the infrastructure within
a limited geographical territory increases the threats to data
security. This is because the internet enables centralized data
storage and processing, taking advantage of economies of scale and
a seamless, global internet. If, web service providers are unable
to draw on the infrastructural architecture across the world, then
the argument of data security and by extension data enforcement is
undermined. Creating check-posts and border controls on
transmission of data splinters the internet the core of which is
interconnectedness into several clusters of networks. This
balkanization of the net weakens the data security measures
Data versus Data Center – Jurisdiction: Mere location of a data center within the physical jurisdiction of a country does not entitle law enforcement agencies to have better access to data held by such centers. Access to data depends on who has custody, control and possession of the actual data - and that may not necessarily be with the entity that provides the local hosting facility.
vulnerabilities of relying on fiber optic cable
network16: A large amount of data is transmitted
from one country to the other via undersea cables. The location of
almost every undersea cable in the world is publicly available,
which increases the risk of vulnerability of the internet and
cross-border transfer of data.
||Localizing data center does not curtail vulnerabilities: Data destruction doesn't always require a continent-scale event. The study by the Leviathan Security Group17 reports that in 2011, a slow water drip in a nondescript office building in Calgary, Alberta set off an explosion that caused days of computer outages for hospitals, ambulances, radio stations, taxis, and criminal justice facilities around the province.|
surveillance: Data relating to critical state interests must
be drawn up for exclusive processing in India and any such
obligations should be limited to it. All other kinds of data should
remain freely transferable (subject to the conditions for
cross-border transfer mentioned above) in recognition of the fact
that any potential fear of foreign surveillance is overridden by
the need for access to information. Thus, for prevention of foreign
surveillance critical personal data should be exclusively processed
within the territory of India.
cannot stop foreign surveillance: Several foreign governments
are reported to use sophisticated malware for data surveillance.
Thus, physical access to the data storage or processing facilities
is not technically necessary in order to conduct surveillance
Threat of domestic surveillance:18 By extension of the same argument as the advocates of data localization, local government may exercise greater coercive power over domestic businesses storing data to circumvent legal protections.19
|4.||Cost of data
protection trumps: All or most legal obligations give rise to
economic costs for regulated entities and thus mere increase in
costs cannot be reason not to introduce legal change. Rather, it
must be shown that the costs incurred due to rules demanding local
processing outweigh the benefits of such a requirement. This must
be done while keeping in mind that the benefits run to the core
objectives of data protection.
Building an AI ecosystem: In the coming years AI is expected to become pervasive in all aspects of life that are currently affected by technology and is touted to be a major driver of economic growth. Azmeh and Foster in their 2016 study, point out the benefits that developing countries can derive from a policy of data localization. These include: first, higher foreign direct investment in digital infrastructure and second, the positive impact of server localization on creation of digital infrastructure and digital industry through enhanced connectivity and presence of skilled professionals. Creation of digital industry and digital infrastructure are essential for developments in AI and other emerging technologies, therefore highlighting the significance of a policy of requiring either data to be exclusively processed or stored in India.
localization20: Reports suggest that the costs of
effecting the data localization requirements are prohibitive. A few
i) The report from Levianthan Security Group shows that data localization measure raise cost of hosting data by nearly 30 % to 60%.
ii) The European Center for International Political Economy reported that enacted or proposed data localization policies in China, for example, would cost as much as 1.1% of its GDP: reducing domestic investment by 1.8%, exports by 1.7%, and welfare by the equivalent of 13% of each citizen's salary. The same report also stated that in the European Union, the costs would add up to .4% of its GDP, reduce investment by 3.9%, and result in welfare costs up to USD193 billion.
Cost of data breach: One must also consider the revenue leakage that will be unavoidable during the transition from the present set-up to a new regime. The 2018 Cost of a Data Breach: Global Overview study22 reports that the global average cost of data breach is already up to 6.4 percent over the previous year to USD 3.86 million. The average cost for each lost or stolen record containing sensitive and confidential information also increased by 4.8 percent per year over to USD148.
Today, India is poised to write history in the story of evolution of the internet. The question of whether data localization provisions should be implemented, to what extent and their efficacy – must find its basis on the back of (i) a thorough understanding of the technologies and processes used for hosting data and providing services on the internet; and (ii) a study of the cost and value of a move of this nature. A lack of these critical knowledge will leave India with a hollow framework of laws which causes more loss than protection, and as Sir Arthur Conan Doyle, author of Sherlock Holmes, said "It is a capital mistake to theorize before one has data."
1 See 'Current Issues of Cross-Border Personal Data Protection in the context of Cloud Computing and Trans-Pacific Partnership Agreement: Join or Withdraw' by George Yijun Tian, available at http://hosted.law.wisc.edu/wordpress/wilj/files/2017/12/Tian_Final.pdf; 'Data Localisation and the Balkanisation of the Internet' by Erica Fraser, available at https://script-ed.org/wp-content/uploads/2016/12/13-3-fraser.pdf; and also 'Data Localization Laws and their Impact on Privacy, Data Security and the Global Economy' by Bret Cohen, Britanie Hall and Charlie Wood, available at https://www.americanbar.org/content/dam/aba/publications/antitrust_magazine/anti_fall2017_cohen.authcheckdam.pdf. In 'Data Nationalism and Its Discontents' by Christopher Kuner, published in Emory Law Journal (2015), available at http://law.emory.edu/elj/_documents/volumes/64/online/kuner.pdf, the author points that the phenomenon can be traced back to the 1970s and 1980s, when in 1976 Brazil required the prior permission of a government board for the use of international computer networks (such as corporate networks and foreign databanks) that transferred or accessed data outside the country.
2 See https://www.theguardian.com/world/2013/jun/06/nsa-phone-records-verizon-court-order and https://www.theguardian.com/world/interactive/2013/jun/06/verizon-telephone-data-court-order for the original scoop.
3 The Moscow City Court, upheld, on November 17, 2016, a lower court's decision to block access within Russia to Linkedin Corp's website, after finding the website operator in breach of the requirement to store the personal data of Russian citizens in Russia. See 'Roskomnadzor v. LinkedIn: a milestone for the Russian data protection regime' by Konstantin Bochkarev and Paulina Smykouskaya, PwC Russia, available at https://www.pwc.ru/ru/assets/data-protection-leader.pdf; Also see 'Russian Data Localisation Laws: Enriching "Security" & the Economy' published on February 28, 2018 authored by Matthew Newton and Julia Summers, available at https://jsis.washington.edu/news/russian-data-localization-enriching-security-economy/.
4 See 'Russia Partially Releases 2018 Data Privacy Inspection Plans' posted on November 28, 2017 by Natalia Gulyaeva, maria Sedykh and Bret Cohen, available at https://www.hldataprotection.com/2017/11/articles/international-eu-privacy/russia-partially-releases-2018-data-privacy-inspection-plans/.
7 See Chapter VIII on Transfer of Personal Data Outside India, in the Data Protection Bill. Section 40 of the Data Protection Bill provides the restrictions on cross border transfer of personal data. This Section stipulates that every data fiduciary must ensure storage, on a data server or data location in India, of at least one serving copy of personal data to which the Act will apply. The Central Government may, however, notify categories (other than sensitive personal data) as exempt from this requirement on the grounds of necessity or strategic interests of State to data. The Central Government has also been empowered to notify categories of personal data as critical personal data that must only be processed in a server or data centre located in India. Section 41 contains the conditions for cross border transfer of personal data (other than the notified personal data).
8 The Consultation Paper on Cloud Computing issued by Telecom Regulatory Authority of India, on June 10, 2016 available at https://www.trai.gov.in/sites/default/files/Cloud_Computing_Consultation_paper_10_june_2016.pdf, relies on the definition of cloud computing provided by National Institute of Standards and Technology (NIST, USA), US Department of Commerce. The NIST definition of cloud computing is: "a model for enabling ubiquitous convenient, on-demand network access to a shared pool of configurable computing resources (e.g. networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction."
9 The four attributes of cloud computing as listed under the Consultation Paper on Cloud Computing issued by TRAI are – a) data intensive, b) resource pooling, c) scalability & rapid elasticity, and d) on demand access.
10 See 'Understanding Sharded Caching System' written by Lorenzo Saino, Ionnis Psaras and George Pavlon, Department of Electronic and Electrical Engineering, University College of London, which explain sharding as "a widely used technique to horizontally scale storage and caching systems and to address both processing and storage capacity bottlenecks. According to this technique, a large set of items is partitioned into set of segments, named shards, based on a result of a hash function computed on the identifier of the item. Each shard is then mapped to a physical storage or caching device. This technique practically enables to partition data across members of a cluster and to identify the member of the cluster responsible for a given item by simply computing a hash function."
11 See 'Where is your data, Really?: The Technical Case Against Data Localization', by Dillion Reisman, available at https://www.lawfareblog.com/where-your-data-really-technical-case-against-data-localization.
'12 Data Nationalism' authored by Anupam Chander and Uyen P. Le, available at http://law.emory.edu/elj/_documents/volumes/64/3/articles/chander-le.pdf.
13 See Chapter 6: Transfer of Personal Data Outside India of the Report issued by the Committee of Experts under the Chairmanship of Justice B. N. Srikrishna.
14 See 'The Harms of Forced Data Localization' by Frank Heidt dated February 25, 2015, available at https://www.leviathansecurity.com/blog/the-harms-of-forced-data-localization.
15 See para (b) (ii) under 'II. Exceptions to Free Transfer of Personal Data Outside India' at page 94 of the Committee Report, where it addresses the issue on 'Balkanization of the Internet and Domestic Surveillance and Censorship'. However, the argument there is centered around domestic surveillance, censorship and the freedom of speech.
19 See 'Data Localisation and the Balkanisation of the Internet' by Erica Fraser, available at https://script-ed.org/wp-content/uploads/2016/12/13-3-fraser.pdf. Also see the Committee Report which argues at page 95 that "While this argument has a certain intuitive appeal, on reflection it suffers from certain logical flaws. First, merely because data is located in a country does not render it vulnerable to censorship. If censorship is indeed made possible, it requires, in addition, a dysfunctional data protection law that allows governments the tools to facilitate such censorship. It is certainly not an automatic consequence of local retention or restriction to local processing." However, the Committee Report also argues that most technologies are US headquartered, and "Based on such access to the data or presence in a foreign jurisdiction, laws of foreign countries may potentially allow surveillance. This is not fear-mongering — the PATRIOT Act amendments to FISA have precisely this effect." Point to note here is that India also has similar surveillance laws. In fact a report titled 'For their eyes only: The commercialization of digital spying' published in 2013 by the Citizen Lab and Canada Centre for Global Security Studies Munk School of Global Affairs, University of Toronto reported that it had found command and control servers for FinSpy backdoors, part of Gamma International's FinFisher "remote monitoring solutions", in a total of 25 countries which included India also alongside the US and UK. The report is available here - https://citizenlab.ca/storage/finfisher/final/fortheireyesonly.pdf
20 See 'Cost of Data Localisation: Friendly Fire on Economic Recovery' published in ECIPE Occasional Paper No. 3/2014, authored by Matthias Bauer, Hosuk Lee-Makiyama, Erik van der Marel and Bert Verschelde, available at http://www.ecipe.org/app/uploads/2014/12/OCC32014__1.pdf; Report on 'Measuring the Value of Cross-Border Data Flows' prepared by the Economics and Statistics Administration and the National Telecommunications and Information Administration, U.S. Department of Commerce, September 2016, available at https://www.ntia.doc.gov/files/ntia/publications/measuring_cross_border_data_flows.pdf; 'Quantifying the Cost of Forced Localization' by Leviathan Security Group (2015), available at http://static1.squarespace.com/static/556340ece4b0869396f21099/t/559dad76e4b0899d97726a8b/1436396918881/Quantif%20ying+the+Cost+of+Forced+Localization.pdf.; 'Tracing the Economic Impact of Regulations on the Free Flow of Data and Data Localisation' published in May 2016 by Matthias Bauer, Erik van der Marel and Martina F. Ferracane, available at https://www.cigionline.org/sites/default/files/gcig_no30web_2.pdf.
21 A summary of the various studies on cost implication from data localization is available here http://www2.itif.org/2018-international-internet-priorities.pdf.
22 Independently conducted by Ponemon Institute LLC, benchmark research sponsored by IBM Security and available at https://public.dhe.ibm.com/common/ssi/ecm/55/en/55017055usen/2018-global-codb-report_06271811_55017055USEN.pdf.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.