Why Data Localization Proposal Needs RefinementDraft Legislation Goes Too Far in Requiring Domestic Storage of 'Critical' Data
The Srikrishna Committee's recommendation in its draft of a data protection bill that foreign companies be required to only store domestically certain "critical" data of Indians is impractical and will not help prevent breaches.
Most data thefts in India happen because of social engineering and not ID theft, security experts say. So storing critical data locally might be of little help in addressing this issue.
A better approach would be for the government to ensure all companies that handle Indian's data comply with privacy and security standards - and punish companies that fall short. The government should come up with policies to ensure data is anonymized and encrypted and privacy is practiced at the design stage.
India vs. U.S.
U.S. tech giants have intensified their lobbying efforts against stringent Indian data localization requirements, which they say will undermine their growth ambitions in India and also lead to increases in costs, according to Reuters.
Under the draft bill, the government would be required to define categories of personal data that are considered "critical," and that data would be required to be processed in a server or data center located in India.
It's completely understandable for the government to review whether its regulatory arrangements reflect best practices in the era of cross-border data flow. The question is: What is the actual problem that it is trying to address?
It seems a major concern is having access to data for investigative purposes.
The draft legislation addresses this issue in another provision that would require data processors ensure a "copy" of all data about Indians be located in India. This means that data processors could continue to transfer personal data across borders subject to the conditions laid down in the bill, but must maintain a live mirror of that data in India. The only exception, under the proposal, is that data deemed as "critical" could only be stored domestically.
This proposed requirement to locally story a copy of data is far more reasonable than the recommendation that "critical" data be stored exclusively in India. But even a requirement to store a copy of data locally may prove to cost more than the value it delivers, so that issue needs to be studied before final legislative action is taken (see: Cloud Data Storage Localization: Key Concerns).
Privacy Concern Valid?
Forcing companies to store critical data only in servers located in India might make global companies wash their hands of responsibility when a breach happens.
"The way we held Facebook responsible in the Cambridge Analytica case, can the same be done if tomorrow we ask them to store data only in servers located in India?" asks Sriram Natarajan, payments and risk management expert.
Some security experts argue that the move will only benefit the government because it would make surveillance easier for them.
Parliament will be considering the draft legislation at a time when the United States and India are locked in disputes over U.S. trade tariffs and on the Indian policy of capping prices of medical devices, which hurts American pharmaceutical companies.
Also, the U.S. government's decision to put a cap on the number of H1B visa issued has upset Indian government leaders. H1B visa is a non-migrant visa that allows U.S. companies to employ foreign workers in specialty occupations that require theoretical or technical expertise. The U.S. technology companies depend on it to hire tens of thousands of employees each year from countries like India and China.
The data storage recommendations in the bill seem to be a subtle way of getting back at the U.S.
As it considers refining the legislation, Parliament should immediately drop the provision calling for domestic storage of data deemed critical. The provision requiring a copy of all data to be stored in India is appropriate, if a study, indeed, proves it's worth the costs.
But more important, the final legislation should spell out tough requirements for compliance with privacy and security standards - no matter where Indians' data is stored - and harsh penalties for failing to meet those requirements.