Data protection norms should be about security standards not about whether the data is localised
India could lose nearly $8.4 Bn (over INR 62K Cr) annually due to data localisation impact on tech businesses
A 2018 survey found that 52% of Indian companies with $100 Mn-$1 Bn revenue reported a data breach
“Data is the new oil, the new gold”
If the Indian central government in 1991 was the government of globalisation, Prime Minister Narendra Modi’s current Indian cabinet and the administration can be called the government of localisation.
The foundation of Modi’s rise to power and his popularity, and to some extent the historic second term victory earlier this year, has come on the back of a nationalistic and India-first fever — whether that is in the politics or in the policies.
From Make In India to Startup India, the Modi government has created two massive pillars for the Indian economy and the third pillar could very well be data.
When India’s wealthiest man and Reliance Industries chairman Mukesh Ambani and the Prime Minister share the same ‘data is oil’ sentiment publicly just a few weeks apart, there can be no doubt about what the next big thing in India is.
Data localisation is as a good thing by many observers, but many others would argue that India’s startup culture has been built on the free flow of data. The first wave of startups in India during the dotcom boom — the one that created India’s ITeS (information technology-enabled services) and BPO (business process outsourcing) industries — made local companies global MNCs on the back of cross-border data flow.
As per the Global Services Location Index (GSLI), in 2016, India was the top destination for BPO services. The government’s push for data localisation is likely to raise a wall against free data flow, which has been a key catalyst in the success of Infosys, Tata Consultancy Services, Cognizant and Wipro.
Are we heading towards a Walled Wide Web from the World Wide Web?
At least some of the concerns around data and keeping control over it are in the name of national security. If the government is indeed serious about taking data localisation to the extremes of China, then that might very well be the case.
Data localisation is a central aspect in the Srikrishna Committee’s Personal Data Protection Bill 2018 (PDP Bill), government’s cloud computing policy, the RBI’s mandate for financial data and even among bodies taking decisions on data around ecommerce companies and online services. The justification remains that data localisation is directly linked to the sovereignty, national security, and economic development of the country.
If the Personal Data Protection Bill is indeed passed as a law, it would become India’s first privacy law. Released in July 2018, the draft bill includes provisions that require a copy of all online personal data of Indians to be stored within the country. It also proposes that certain “critical personal data” be processed only in India. The Reserve Bank of India has also issued a circular mandating all payments companies to store data of Indian customers within India.
While there can be no doubt that data is indeed a significant component of the digital economy, the arguments for localisation make a lot of sense on paper. For one, the growth of digital payments in India means there are new startups, innovations and use-cases coming up every day. In light of this, data is ubiquitous but it’s also important to improve supervision to prevent fraud, crime and theft of data, especially given that many global players have their databases and processing systems in locations across the world.
Data Needs Protection, Not Localisation
As criminals and corporations realise that data is indeed equal to money, there has been a significant rise in data security threats, scandals and attacks in current times. In 2019 alone, there have been over 3,800 global breaches so far exposing over 4.1 Bn records. Compared to the same duration in calendar year 2018, the number of reported breaches are up 54% and the number of exposed records has risen by 52%.
In a study conducted on Indian companies with revenue ranging between $100 Mn and $1 Bn, 52% of the respondents reported a data breach in 2018. The cost of data breaches jumped 7.9% shot up to ₹11.9 crore in 2018 from 2017.
In the context of government cybersecurity, the most glaring example of weak security remains India’s national ID Aadhaar. In January 2018, the Aadhaar-governing body Unique Identification Authority of India (UIDAI) denied leaks from the Aadhaar database, despite the fact that access to the database was obtained by journalists for as less as INR 500.
Since then, a number of incidents have brought to light the poor security measures in place in the government’s crucial Aadhaar infrastructure. With leaks becoming so common, the UIDAI’s denials became memes and viral internet jokes.
But the government sees a bigger threat from private companies and their data handling, which has prompted the Personal Data Protection Bill, 2018. In the light of the Facebook-Cambridge Analytica scandal, which had deep political implications, this fight to have control over Indian data is reminiscent of how China prefers to look at internet and user data.
Does Data Localisation Even Work?
With each passing day, technology and digitization are becoming the panacea for all problems! The world is taking significant strides towards the adoption of technology and digitalisation in almost all walks of life. In a connected world, data needs to flow freely across borders and boundaries. And while questions of protecting user privacy are legitimate and need to be addressed, is data localisation the answer?
And if it indeed is, then what about the impact on the economy?
According to a 2016 study by the European Centre for International Political Economy, the EU’s GDP would gain €8 Bn, the same amount as all EU free trade agreements, by abolishing data localisation measures. On the other hand, with data localisation measures as strict as those proposed in India, the EU would lose over €50 Bn annually or 0.5% of its entire GDP. If we assume similar effects, India could lose nearly $8.4 Bn (over INR 62K Cr) annually.
With the economy showing slowdown signs, such revenue loss due to data localisation could be catastrophic in the long run.
How Will India Inc And Startups Be Affected?
To meet the expectations of the data localisation bill, companies would need to spend huge amounts on setting up local servers, among other infrastructure costs. Experts believe this may become a big hurdle for existing companies operating in India, and makes it more expensive for new ones to set up shop. It will particularly impact international internet companies such as Google, Facebook and Twitter, which already have millions of users in India but store their data at remote locations.
While bigger entities may manage to muster the resources to meet this requirement, India will become extremely undesirable for smaller companies and international startups.
For Indian startups, particularly for fintech, cloud and SaaS startups, it is a double-edged sword. Among these solutions, startups and companies with B2B models would be landlocked to India for the most part, and raises barriers for international expansion. It would reduce the options for smaller startups to avail data security and storage at global competitive rates leading to an increase in operational and tech cost. Although, startups in later stage would be able to survive, increased setup cost would discourage new tech startups from coming up.
For global security and storage providers working with Indian companies such as Amazon Web Services, Microsoft Azure, Google Cloud and others, it would become difficult to offer global pricing due to the mandate of keeping a local copy of all transaction data within Indian borders. This nearly doubles the required capacity for India operations. Maintaining a copy of data in India would involve a high setup and operational cost. This would further discourage any global data storage companies setting up shop in India.
Furthermore, the effect of such stringent data localisation law can play a diabolical role in creating a monopoly in the market.
The pro data localisation lobby is being led by none other than Ambani. Recently, Ambani emphasised on data protection saying, “In this new world, data is the new oil. And data is the new wealth. India’s data must be controlled and owned by Indian people and not by corporates, especially global corporations.”
And just a few weeks later Modi repeats a similar line in the United States, home of Amazon, Google, Microsoft, Facebook, Twitter and every other major internet corporation that will be affected by the law.
“For India to succeed in this data-driven revolution, we will have to migrate the control and ownership of Indian data back to India in other words, Indian wealth back to every Indian,” Ambani added, but it could just as well have been Modi saying it, such was the nature of the statement.
Needless to say, Reliance Jio with nearly 340 Mn users (by July 2019) and a slew of digital services including the major OTT sector is banking on data localisation to thwart growth of international players.
Ambani’s direct attack on foreign companies comes with the backdrop of Reliance Jio’s plans to expand its presence in the fintech sector. But Jio’s rise itself is largely thanks to the mad data consumption spree in India which includes more engagement time for international internet services such as TikTok, YouTube, Netflix, Amazon Prime, WhatsApp, Instagram and Facebook.
It’s not just Ambani — on the startup ecosystem side, Paytm chief Vijay Shekhar Sharma has also been vocal about data protectionism in the past and welcomed the RBI’s mandate. It’s worth noting that international funds and investors such as Berkshire Hathaway, SoftBank and Alibaba have backed Paytm with major funding.
JioMoney and Paytm are competing with global players such as Google Pay, Amazon Pay and Facebook-owned WhatsApp Pay in India.
With data localisation manadates in place it would be difficult for global companies to compete without spending more, and we have not even talked about data localisation in the ecommerce sector, where Reliance is expected to make a big entry this year.
More Power To The Executive!
While the bill intends to improve transparency and accountability, this authority — comprising a chairperson and six other members appointed by the central government — would hardly operate autonomously.
The bill provides excessive powers (to) the central government, especially under Section 98 which not only states that the central government can issue directions to the authority, but also that the authority shall be bound by directions on questions of policy in which the decision of the central government is final.
To worsen matters, the criminal liabilities making all offenses cognisable and non-bailable under this bill is worrying. The bill also does not provide any specific time period for businesses to comply with the provisions either, like GDPR did.
Data Security Needs To Be A Priority
Localising data does not in itself convey too many security benefits if it is not strictly protected. Ideally, the law should target the measures taken by data storage entities in protecting it.
One only has to look to the recurring breaches of the Aadhaar database through various government sources to understand that storing data locally does not, by itself, keep data protected.
Until India has a data protection law and demonstrates robust enforcement of that law, it’s difficult to see how storing user data in India would be the most secure option.
The consumer and the society at large will notice any benefits from data localisation measures and, in fact, the cost of digital subscriptions and services is likely to rise.
Rather than choosing the best, fastest, and cheapest providers to store data, the choice is limited to domestic providers who have little incentive to provide superior services due to the lack of competition, due to the market barriers mentioned above.
It might hinder Indian startups from growing globally and selling abroad because the cost for servers and cloud infrastructure may give them a competitive disadvantage. For startups from Europe, data localisation measures could be a reason not to scale to India because of an additional burden and cost of storing data locally.
In July 2019, after lobbying by the likes of Mastercard and Visa, India’s commerce minister met technology companies and heard their concerns about various federal plans to push for more stringent rules on data storage, which government officials say would help them better access data and conduct investigations. However, no specific revisions have been discussed yet publicly.
And in light of PM Modi’s most recent statement on the world stage in the US, it’s very unlikely that the status quo is about to change. It’s more likely that the government’s hard stance on a number of issues — ranging from cryptocurrency to taxation — will be extended to the data sector as well.CHECK OUT DATALABS BY INC42
With inputs from Nikhil Subramaniam