With a parliamentary panel reviewing India’s personal data protection Bill, a great deal of attention has come to bear on data localisation — a potential legal requirement to store the data of local citizens within the country’s geographical borders in a bid to protect personal data. Critics of data localisation policies call it data nationalisation, while critics of data-guzzling companies such as Google and Facebook dub it ‘data colonisation’. A choice of terms in itself reveals one’s bias.
When is data localisation — perhaps the most neutral of the three terms — ever a real need? Should it apply to financial data? Or perhaps health data, as Australia has done? Would it be fair to apply it to just about any personal data including, say, voluminous social media posts or shopping preferences? When does data localisation become data nationalism? When exactly does data hogs turn data colonists?
Clearly, there are no simple answers. It might be the case that, like foreign policy, national interest — rather than rigid principle — takes precedence. Consider two examples, both involving the United States. In one, it is guilty of not protecting foreigners’ data, while in the other the US accuses China of doing exactly what it does. Such might be a measure of hypocrisy, even if you consider that the two countries are hugely different.
The first comes from a verdict in July by the Court of Justice of the European Union. The court ruled that Facebook’s transfer of personal data of a EU citizen to its servers in the US was illegal, and violated the EU’s privacy law, General Data Protection Regulation (GDPR). The reason: a EU citizen’s data sent to the US is subject to US surveillance laws, and could be accessed by US law enforcement and other agencies.
This violates a key GDPR requirement that the level of protection of EU citizens’ data must be “essentially equivalent to that guaranteed within the EU by the GDPR, read in the light of the Charter [of Fundamental Rights].”
The ruling also scrapped the EU-US Privacy Shield, which governed transfer of personal data by several companies between the two geographical entities. Still, the Court of Justice allowed the data transfers to take place under the so-called Standard Contractual Clauses, so long as data exporters “ensure an adequate level of protection,” rather than a level of protection equivalent to that in the EU. This backdoor is what keeps Facebook and Google data flowing across the Atlantic.
Now consider the case of TikTok. The US in August sought to ban the short-form video app because its servers in China store US users’ data, which could easily end up in the hands of the Chinese government. Essentially, it is the same concern over which the EU court barred data transfers to the US. While both the US and China can equally access the personal data of foreigners, the difference is this: the US is a democracy with established rule of law in such areas, whereas China can, perhaps, arbitrarily access the data.
What is India, or any other country, to do? Perhaps, the tactical thing to do is focus on self-interest, and even use it as leverage to regulate tech companies while global rules sought by Facebook and others emerge.
India does not still have a personal data protection law. So there is much to be done. It is also an opportunity to craft something strong, durable and all-encompassing, and something that places national interest above anything else.
The Indian government has not done too well so far. It has deviated significantly — and dangerously — from the draft Bill proposed by Justice Srikrishna, making sovereign claims over anonymised and non-personal data of companies. It remains to be seen what finally emerges.
But its focus on data localisation is not without merits. The parliamentary panel led by Meenakshi Lekhi has heard the views of global companies, such as Facebook, Twitter, Google and Amazon, and Indian firms, such as Jio, Airtel and Paytm. It is seized of the varied issues but only needs to address the issue of personal data — non-personal data, such as business intelligence gathered by the likes of Amazon are to be addressed by a separate Bill, and financial data is being regulated by the Reserve Bank of India.
What exactly does the personal data include?
Everything we post on social media, along with biographic details, revealed political, social and shopping preferences, location and mobility data, and much more constitute personal data that requires protection and privacy. Personal data saved by individuals as well as companies on cloud services run by Google, Microsoft and Azure constitute another set. France, for example, has advised healthcare companies to not store patient records on US cloud services.
The draft Bill makes a distinction between “sensitive” and “critical” data. While the former requires some form of consent, the latter is mandated to be stored locally and cannot be transmitted overseas. In fines, it proposes a measly $2 million, or 4 percent of presumably the local, not global, revenues. Clearly, as it stands now, the Indian Bill does not go far enough as the GDPR, and the fear is it may end up as an insufficient measure against rampant data excesses of the tech giants.
Bala Murali Krishna works for a New York-based startup. Views are personal.
Discover the latest Business News, Sensex, and Nifty updates. Obtain Personal Finance insights, tax queries, and expert opinions on Moneycontrol or download the Moneycontrol App to stay updated!
