Why limiting cross-border data flow in the new e-commerce policy is counter-productive
The Draft E-Commerce Policy states that it seeks to create a legal and technological framework to restrict cross border flow of data generated by Indian users and data collected by IoT devices. The current policy directive follows up from the RBI and Shri Krishna Committee’s position of locating data in India with respect to enhancing access for the government.
It is well understood and appreciated that government access to data for law enforcement is paramount for national security. However, for the eCommerce policy to dictate localisation for “data generated by users in India by various sources, including e-commerce platforms, social media, search engines etc”.
To assume that access of data depends on the location of data, is an incorrect assumption. Data can be accessed from anywhere in the world, while at the same time, even if data is located in one country, it does not guarantee access simply on the basis of geographical location. The host country will have to comply with international privacy norms, drive a bilateral discussion with the country whose data is stored and also engage with the fiduciary by enabling a set of procedures and frameworks to seek access for lawful means and law enforcement in the host country. At the moment India does not have a data protection law neither a framework for granting access to data, and unless it clarifies its procedures it would be difficult for fiduciaries to comply for any request that may come their way for disclosure of data.
The Dialogue conducted a comprehensive study on this topic last year where it was identified that localising data generated in India will increase the costs burden on businesses and customers in India, will not fulfill India’s quest for lawful access to data and will isolate India from global technological progress. Future investments in digital sector may be impacted which could be a stumbling block for India’s quest to emerge as a leading economic superpower. It could separate India’s data sets from global data sets. This could have significant implications, as it may reduce the quality of services and products for the Indian market, impede Indian companies’ progress looking to process foreign data abroad, disinventise future investments coming into India’s digital economy. Subsequently, it may also hurt India’s AI progress. IoT and interconnectivity is essential to realize the potential of fourth industrial revolution and the transformation it will bring to public services, such as transportation, healthcare, education, financial services etc. The Prime Minister’s dream of creating smart cities will be based on the power of interconnected services. However, limiting cross-border data flows might remove global investments and the value global data sets could bring.
Localisation will reduce competitiveness of Indian firms to compete in global markets. Government should instead focus on ensuring robust practices to protect data and place enough checks and balances as well as safeguards for ethical use of data. Internet should not be fragmented and split into boundaries and we should follow high standards of security. Restriction of data will reduce innovation, sub-optimal standard of service and increase cost. Localisation could cost upto 1 percent of India’s GDP growth, hit projected growth by twenty percent and cost an Indian worker almost 11% of their average monthly salary
Another likely bi-product of the increased costs and lowered efficiency is the reduction of the global reach of organizations. Data location laws can not only deter but can also act as causes for organizational exit. Should a private entity no longer consider costs to be worth the benefits it gets in return, operations in that country can cease to exist. The direct impact on the firm is the reduction of scope, leading to reinvesting the capital invested initially. However, the brunt of the exit might be felt on the host country, and more specifically, their citizens. Companies ceasing operations on regions can mean jobs lost for hundreds of workers. On the consumer side, it might mean the lack of options. For the industry, it might mean the exit for a competitor, for better or worse.
In many cases, it is not possible to process all data locally and maintain the same quality of service as could otherwise be achieved (for example, round-the-clock, follow-the-sun customer service). This is essential for companies that operate globally and follow different markets.
Digital Payments may suffer
India has gradually moved towards making digital and cashless payments a mainstream reality for its population. For a country that wants to achieve cashless ecosystem, better financial services are a necessity. Data localisation will be a step backward for the digital payments industry. Not only would it make it costlier for international banks to operate, but it would also reduce the incentive for them to innovate and try out new forms of payment on the front and back end. It will cut-off India from fraud detection, as patterns of fraudulent activity that are collected from across the world and analysed in a centralized location, which thereby help to improve the technology. Localisation will limit India’s potential to access such nex generational technologies.
Cyber Security Compromised
Localisation will also make Indian data vulnerable to global cyberspace attacks. Security is not enhanced just because data resides within a particular jurisdiction. Security is a function of the technical, organizational, and financial capacity of an entity to protect the data and provide physical protection for a data center. So instead of storing data in centers around India, security would be better facilitated with the creation and use of de-centralized and end-to-end encrypted services that do not store all consumer data in one place. Slowing down digitization and cashless expansion due to a localization will also deter the cause of fighting black money, a cause that the government has been championing.
While at the same time, we understand that the Government would want a robust data center industry in the country. To achieve this, Government should incentivize and encourage companies to store and process India, rather than forcing them to do so. By placing due process of law, adhering to high levels of privacy and complying with international standards of security, Government should seek to create India a rewarding destination for data processing.
By Kazim Rizvi Founding Director, The Dialogue