In February 2019, FireEye – a US cybersecurity firm – zeroed in on a hacker tagged only as ‘fallensky519’ who was on the Most Wanted List for stealing personal data of 6.8 million users from an Indian healthcare website. A few months later, in October, a Singapore-based cybersecurity company – Group IB – spotted over 1.3 million credit and debit card details from Indian banks for sale at $100 apiece. A month later in November, Facebook and Twitter were the unlucky targets of malicious third-party apps who were stealing user data using One Audience and Mobiburn SDKs.
What then do these nefarious data breaches predict for the future of data privacy and data security in our ever-evolving technological world? Who is to be held responsible for data maneuverability with criminal intent? Is it the user, the government’s regulatory laws, or just the fact that sensitive data is not always stored at the source of its birth but entrusted to foreign countries for safe-keeping?
This is where data localization and data sovereignty come into the picture. Data localization is the act of physically storing data – electronic or otherwise – within the borders of the country where it was created. Data sovereignty is a symbolic concept which makes data subservient to the laws and governance structures of the country where it resides.
Countries like China, US, Russia, Brazil and Indonesia have already implemented or are in the process of implementing stringent data localization laws. In fact, Europe has a new data protection regime that caps cross-border data flows to countries that do not have foolproof data protection laws in place. Similarly, China administers strict policies for data localization for companies to function.
The driving purpose of data localization is to protect personal and financial information of the country’s citizens and residents from foreign eyes. It also enforces local governments and regulators with the right to summon and use the data as and when required. This holds especially true in the area of law enforcement. Agencies should have instant access to information to gather incriminatory evidence against criminals, without getting entangled into time-consuming legal procedures of the nation hosting data generated in India. When sensitive data is not localized, law enforcers are compelled to rely on Mutual Legal Assistance Treaties or MLATs to access critical data, which in turn delays justice. However, access to local law enforcement should also be regulated and tracked strictly so that the provision is not misused.
In 2018, the RBI made it compulsory for all payments-related data to be stored only in India. This included credit card payments as well as all electronic and digital payment services. This strict ruling was a reflection of the Data Protection Law drafted by Srikrishna Committee in 2018. The Committee’s Data Protection Act sought to protect sensitive citizen data by storing it locally. An independent regulatory body called Data Protection Authority (DPA) would become responsible for the enforcement and effective implementation of the Act with heavy penalties for violations. Accordingly, the Aadhaar Act would also be amended to support these changes.
RBI’s diktat perked up the business interests of global and domestic conglomerates and technology giants. Global investors began to strategize and secure investment opportunities in the India data center industry. Given the high demand from data localization, India needs to forge ahead and ramp up its data center capacity by at least 5 times in the next 5 to 7 years so as to handle the massive amount of data influx. The global industry is estimated to reach $228 billion in the next 5 years. The maximum impact and contribution is foretold to be by China and India whose burgeoning population will directly impact digital data traffic, IoT growth, and cloud services thereby fueling huge economic growth in the APAC region.
India is poised to holistically become the top 3 data economies in the world over the next 10 years. Headed for exponential growth, India will need to avoid single point of failure where its data and datacenters are distributed to multiple regions across the country that has sustainable infrastructure, especially to support sustainable data localization.
While India’s data localization is opposed by many lobby groups, one cannot deny that India’s data is its national treasure and needs to be protected with strict cross-border regulation.