Google, among others, has complained loudly that the RBI’s six-month deadline, which is approaching fast, is too short.
India has a long history of drafting laws to protect its companies. In the process, Indians themselves often suffer. That’s precisely what will happen if the government proceeds with plans to force companies doing business in India to store all customer data locally. The first salvo in this campaign was fired in April, when the Reserve Bank of India ordered companies to store the “the entire data relating to payment systems operated by them … in a system only in India.” The central bank claimed this was necessary to ensure its “unfettered supervisory access” for “better monitoring.”
While India isn’t the only country to prevent companies from sending their data offshore, the RBI edict was unusually strict. Even Russia allows copies to be kept elsewhere.
Google, among others, has complained loudly that the RBI’s six-month deadline, which is approaching fast, is too short. Meanwhile, the government has begun considering a draft data-security law that requires data centers for all companies be physically located within India. The committee that drafted that law overstepped its mandate badly; it was supposed to limit itself to figuring out new rules to protect consumer data and instead focused on growing digital-economy companies. Separately, a government think tank has also produced an e-commerce policy which requires the storage of customer data in India.
India’s track record on the regulation of new technologies is abysmal. The RBI has been a particularly grave offender: India has yet to develop a proper digital-payments infrastructure largely because the central bank stifled its growth at birth, insisting that telecom companies offering cheap money-transfer services become banks first. Indian companies such as Airtel rolled out services in East Africa instead. Then, in 2014, the RBI required that every online card payment, even the smallest, go through a two-factor authentication process. To pay for an Uber in India, you have to enter your credit card password, swiping at your phone in the rain or blinding sun, even if your ride has cost only $1.50.
Perhaps many of these decisions would have been different if Indian bureaucrats had ever had to take a cab, transfer money to a village through an SMS or the like. Their distance from the country they seek to regulate unfortunately has few peers in the world.
The fact is that the arguments used to justify the need for data localization simply aren’t persuasive. Proponents say, first, that places such as China do it. This barely requires a reply: China really shouldn’t be a model for anyone designing a free and open digital economy.
The second argument is that preventing foreign companies from repatriating and making money off of Indian consumers’ data will help Indian companies grow: If data is the new oil, then surely Indian companies should have exclusive access to Indian data they can mine? This nativist instinct is in line with the rest of the national e-commerce policy, which openly seeks to tilt the playing field in favor of domestic companies; the panel that wrote the policy very noticeably excluded members from the big credit card companies, as well as Amazon and Uber.
But, for one thing, some existing “Indian” payments companies, such as the largely Chinese-financed Paytm, are Indian in name only. And localizing data will wind up hurting Indian companies that seek to integrate with the world. Can you imagine the Indian business-process outsourcing industry surviving a data trade war? A borderless internet is what turned India into an IT services superstar; localization is just another kind of economic wall, not dissimilar to the tariffs that the government has begun to reimpose on imports after a generation of openness.
Finally, in a particularly Orwellian twist, the government has claimed that keeping data in the country will protect Indians’ privacy. In actual fact, that just means that Indian bureaucrats will be able to get their hands on it. India’s privacy laws are weak; messages can be intercepted just on a senior security official’s say-so, with minimal oversight or accountability, and even this requirement is widely ignored. Moving Indians’ data from the relative security of U.S.-based servers to ones that their own government can access with ease is not going to make them any safer. Most Indians would trust Google’s commitment to its users much more than they would their government’s commitment to its citizens’ privacy. I certainly do.
When governments build barriers to protect companies, then consumers suffer, growth stagnates, and the entire country falls behind the rest of the world. Data localization limits possibilities for India’s vibrant startups; they should be able to locate their servers wherever they want and use whatever cloud services make most sense for them. As for consumers, they have the right to access a free and unfettered internet and to use the highest-quality or cheapest online services they can find. And, certainly, they have the right to store their personal data wherever they want. Moving to a “splinternet” would hurt people and businesses worldwide — but those in India more than most.