The Draft E-Commerce Policy states that it seeks to create a legal and technological framework to restrict cross border flow of data generated by Indian users and data collected by IoT devices. The current policy directive follows up from the RBI and Shri Krishna Committee’s position of locating data in India with respect to enhancing access for the government.
well understood and appreciated that government access to data for law
enforcement is paramount for national security. However, for the eCommerce
policy to dictate localisation for “data
generated by users in India by various sources, including e-commerce platforms,
social media, search engines etc”.
assume that access of data depends on the location of data, is an incorrect
assumption. Data can be accessed from anywhere in the world, while at the same
time, even if data is located in one country, it does not guarantee access
simply on the basis of geographical location. The host country will have to
comply with international privacy norms, drive a bilateral discussion with the
country whose data is stored and also engage with the fiduciary by enabling a
set of procedures and frameworks to seek access for lawful means and law
enforcement in the host country. At the moment India does not have a data
protection law neither a framework for granting access to data, and unless it
clarifies its procedures it would be difficult for fiduciaries to comply for
any request that may come their way for disclosure of data.
Dialogue conducted a comprehensive study on this topic last year where it was
identified that localising data
generated in India will increase the costs burden on businesses and customers
in India, will not fulfill India’s quest for lawful access to data and will
isolate India from global technological progress. Future investments in digital
sector may be impacted which could be a stumbling block for India’s quest to
emerge as a leading economic superpower. It could separate India’s data sets
from global data sets. This could have significant implications, as it may
reduce the quality of services and products for the Indian market, impede
Indian companies’ progress looking to process foreign data abroad, disinventise
future investments coming into India’s digital economy. Subsequently, it may
also hurt India’s AI progress. IoT and interconnectivity is essential to
realize the potential of fourth industrial revolution and the transformation it
will bring to public services, such as transportation, healthcare, education,
financial services etc. The Prime Minister’s dream of creating smart cities
will be based on the power of interconnected services. However, limiting
cross-border data flows might remove global investments and the value global
data sets could bring.
will reduce competitiveness of Indian firms to compete in global markets. Government should instead focus on
ensuring robust practices to protect data and place enough checks and balances
as well as safeguards for ethical use of data. Internet should not be
fragmented and split into boundaries and we should follow high standards of
security. Restriction of data will reduce innovation, sub-optimal standard of
service and increase cost. Localisation could cost upto 1 percent of India’s
GDP growth, hit projected growth by twenty percent and cost an Indian
worker almost 11% of their average
Another likely bi-product of the
increased costs and lowered efficiency is the reduction of the global reach of
organizations. Data location laws can not only deter but can also act as causes
for organizational exit. Should a private entity no longer consider costs to be
worth the benefits it gets in return, operations in that country can cease to
exist. The direct impact on the firm is the reduction of scope, leading to
reinvesting the capital invested initially. However, the brunt of the exit
might be felt on the host country, and more specifically, their citizens.
Companies ceasing operations on regions can mean jobs lost for hundreds of
workers. On the consumer side, it might mean the lack of options. For the
industry, it might mean the exit for a competitor, for better or worse.
In many cases, it is not possible
to process all data locally and maintain the same quality of service as could
otherwise be achieved (for example, round-the-clock, follow-the-sun customer
service). This is essential for companies that operate globally and follow
Payments may suffer
gradually moved towards making digital and cashless payments a mainstream
reality for its population. For a country that wants to achieve cashless
ecosystem, better financial services are a necessity. Data localisation will be
a step backward for the digital payments industry. Not only would it make it
costlier for international banks to operate, but it would also reduce the
incentive for them to innovate and try out new forms of payment on the front
and back end. It will cut-off India from
fraud detection, as patterns of fraudulent activity that are collected from
across the world and analysed in a centralized location, which thereby help to
improve the technology. Localisation will limit India’s potential to access
such nex generational technologies.
Cyber Security Compromised
will also make Indian data vulnerable to global cyberspace attacks. Security is
not enhanced just because data resides within a particular jurisdiction.
Security is a function of the technical, organizational, and financial capacity
of an entity to protect the data and provide physical protection for a data
center. So instead
of storing data in centers around India, security would be better facilitated
with the creation and use of de-centralized and end-to-end encrypted services
that do not store all consumer data in one place. Slowing down digitization and
cashless expansion due to a localization will also deter the cause of fighting
black money, a cause that the government has been championing.
While at the same time, we understand that the Government would want a robust data center industry in the country. To achieve this, Government should incentivize and encourage companies to store and process India, rather than forcing them to do so. By placing due process of law, adhering to high levels of privacy and complying with international standards of security, Government should seek to create India a rewarding destination for data processing.