Listen to this story
With a population of more than 138 crores, the data generated in India is massive, and the Government of India (GoI) wants to ensure that data generated domestically stays in the country. Over the years, different representatives of GoI have talked about data localisation policies. In fact, data localisation was part of the Personal Data Protection Bill 2021 which got scrapped earlier this year.
Today, most of the generated data is stored and processed outside India. Moreover, since mobile penetration and cloud adoption is on a significant rise, data volume is also growing. Data protection has thus become increasingly important.
Data localisation is growing and becoming more restrictive (Source: OECD Trade Policy Paper)
Subscribe to our Newsletter
Join our editors every weekday evening as they steer you through the most significant news of the day, introduce you to fresh perspectives, and provide unexpected moments of joy
The need for Data Localisation
Governments across multiple jurisdictions today have introduced or are in the process of drafting data localisation laws. National security and the fear of foreign surveillance are major reasons for the Indian government to consider data localisation laws in the first place.
Data stored in a server located in a foreign jurisdiction sometimes make it difficult for law enforcement agencies in India to access them. Such data could prove to be pivotal in an investigation. Hence, the government considers it paramount to have access to all data generated within the country.
Khushbu Jain, Managing Partner at Ark Legal, believes that rules governing data localisation are not motivated by an exclusive national or private interest. Numerous factors simultaneously applied contribute to the localisation regime on restricting cross-border data flows or establishing controls for the transfer of information.
In conversation with Analytics India Magazine, Jain explained that economic benefit may not be the primary motivator for states to attempt restriction in data flows. Citing examples of both developing and developed nations, she stated that the leadership in the global digital economy is keenly linked to establishing claims of technological sovereignty. Furthermore, Jain believes that the upward trend in data localisation observed across the world indicates that arrangements for localised data governance will continue to be a crucial aspect of the transforming social, economic and political order for the near future.
“The data covered by these laws can range from all personal data to only specific types of data, such as health or financial information. In the Indian context, attention has to be drawn to the field of security; given the widespread use of the term ‘big data’, one would expect to find a sophisticated account of what it means, what it does, and how it works in the national security context.”
“Further, given the usage of data, it is pertinent that the free flow of data to a hostile country or anti-national organisation can threaten national security. Evident from the recent move by the US banning TikTok, its valid concerns about Chinese-owned companies and the Chinese Communist Party having access to their citizens’ data,” Jain said.
In India, sector-specific data localisation laws have already been passed. For example, the Reserve Bank of India (RBI) has made it mandatory for all payment data to be stored in the country. Data localisation is expected to be part of the upcoming National Data Centre and Cloud Policy too.
“Data localisation is a means to ensure adequate safeguards against indiscriminate use of data and data leaks. India has the third-highest number of data breaches in the world. Therefore, it is important to secure data privacy, and in that sense, the government’s aim towards data protection and localisation is well placed.”
Devi Shankar, President & Head – Industrial & Logistics, Data Centre at ANAROCK Capital, further said: “Data localisation will enable companies to become more resistant to identity thefts and information leaks and improve the digital ecosystem locally. Setting up physical infrastructure to store data locally would also encourage allied services like fibre network, associated hardware, etc. to grow at scale in India.”
A competitive edge?
Data localisation can be viewed as an opportunity for competitive advantage within the Indian tech ecosystem as the services of foreign tech companies may become dearer—accounting for the massive capital investment incurred towards storing and processing the data locally in India. Devi Shankar believes that this will allow Indian companies to expand their market share and will also steer innovations within India.
Khushbu Jain, who is also a lawyer at the Supreme Court of India, further said that the proposed change in the law would keep data local, restricting both Indian and foreign companies from taking data outside Indian jurisdiction.
“This asset can be the backbone for any burgeoning business and thus one of the reasons for the states looking to implement data localisation, thereby seeking to give their local corporations a competitive edge.”
In concurrence, Devi Shankar shares that, “Besides, compared to other developed countries, the cost of real estate, manpower and network are cheaper in India, and these savings will ultimately be passed on to the end customers. Storing data locally will reduce latency and improve speed, thus increasing transaction efficiency for the companies.”
Why are startups worried?
India is home to the world’s third-largest startup ecosystem. Our digital ecosystem has been on an impressive growth trajectory for the last few years, and tech companies have contributed fairly towards it. However, startups are worried about the GoI looking to introduce data localisation laws.
This is because many startups in India use third-party services from companies based outside of India. Startups often use online tools, analytics software as well as cloud-based servers located outside India, and in most cases, such services often require access to core databases.
“Data localisation mandates will adversely affect the service offerings of such startups and may restrict them in working with an international client base. This can also push startups to register and incorporate themselves outside India. This may compromise on innovation and India’s participation in the global data value chain,” Devi Shankar said.
Further, data localisation may bring additional compliance processes and impact the ease of doing business for such tech companies. This, in turn, might increase their capital expenditure and the complexities of operation in India.
Addressing these concerns, the government may allow the cross-border flow of data as long as it has access to it.
Will it impact digital trade?
Earlier this year, the US government raised concerns that India’s data localisation ambitions could prove to be a significant barrier to digital trade. However, Jain points out that the US also requires data pertaining to the country’s citizens to be processed and/or retained in the country itself.
Shankar believes that data localisation rules definitely add up to more compliance for foreign companies intending to do business in India and would require companies to restructure and rebuild their enterprise architectures. These modifications may then have financial and operational implications.
“It is an additional capital expenditure for them as they will have to invest in data storage infrastructure in India. Data localisation laws can push back Indian firms from entering new markets and generating business insights from the cross-border data flow.”
Devi Shankar concluded that, “GDPR in Europe is a benchmark in data residency laws, and most countries are basing their local laws on GDPR. This is a critical step towards data protection. India is well within its rights to put in appropriate safeguards, especially given the large volumes of data being generated by Indian users. It is, however, important to ensure that the new laws that are proposed keep in mind and address ease of doing business and not create heavy operational roadblocks.”