Data Localization: Time for Bold ActionWhy India Needs to End Delays and Enact New Requirements
To enhance data security, it's time for the Indian government to stop talking about requiring data localization and spell out - and enforce - tough requirements.
The Indian parliament has repeatedly delayed a vote on India's proposed personal data protection bill, which would require a copy of all personal data be stored in India, while "critical" information would have to be stored only in the country.
Because India is such a big market for major U.S. companies, such as Amazon and Google, they will have no choice but to comply with any new requirements the government adopts. So the government shouldn't shy away from bold localization requirements just because these firms object.
Having data stored on local servers would help law enforcement officials, who have struggled to obtain data residing in other countries to support their investigations. And another argument in favor of data localization is that it would make it easier to ensure all Indians' data is protected in compliance with local laws.
In a recent visit to the U.S., Prime Minister Narendra Modi addressed American companies concerned about India's planned data localization requirements, assuring them that in drafting the final law, business needs as well as the rights of data owners would be considered, according to the Times of India.
U.S. corporations have repeatedly expressed concerns about India's proposed data localization requirements, arguing that compliance would prove too costly and the privacy and security benefits would be minimal.
There are reports that, as a result, the Indian government is considering softening the requirements. It may, for example, tweak the provision in the bill to allow personal information that's not "critical" nor "sensitive" to be stored and processed anywhere in the world, while only data classified as critical would have to be stored only in in India.
But because India is such a big market for major U.S. companies, such as Amazon and Google, they will have no choice but to comply with any new requirements the government adopts. So the government shouldn't shy away from bold localization requirements just because these firms object.
Personal Data vs. Business Data
In their meeting with Modi, U.S. companies also reportedly asked that India create different requirements for personal data and business data, arguing that tougher privacy requirements should only apply to personal data. But differentiating between the two types of data would prove extremely difficult.
Steven Feldstein, professor at Boise State University, informs me: "I am not sure if we can put in place a clean separation on what is business and what is personal. We need a public debate on this.
Singapore-based Aloysius Cheang, executive vice president for Asia Pacific at The Center for Strategic Cyberspace + International Studies, offers a good suggestion. He tells me that consumers should be able to designate their data as "sensitive" and that businesses should then be required to adequately protect that data, such as by not using it for any data mining, artificial intelligence or certain other purposes.
India should consider separate legislation that addresses maintaining the privacy of the residual categories of data, such as corporate data identifiable with a person. It should develop requirements for the handling of non-personal data, to meet business interests, while making sure requirements for protecting personal data are adequate.