Data localisation, if implemented, without adequate preparation and accountability measures, may reduce freedom of speech while enhancing risks of censorship, privacy violations, data breaches and cyber-attacks.
The need for data localisation mandated under the Personal Data Protection Bill may lead to enhanced risks of privacy violations, cyber attacks, and data breaches, according to trade and regulatory think-tank Cuts International. According to a study titled Consumer Impact Assessment of Data Localisation conducted by Cuts on data localisation impact from the consumer perspective, consumers perceiving higher risks showed lower levels of data usage. Data localisation, if implemented, without adequate preparation and accountability measures, may reduce freedom of speech while enhancing risks of censorship, privacy violations, data breaches and cyber-attacks, the study said.
Data localisation may “lead to loss of international competitiveness among service providers along with creating a ‘honeypot of data’ based in a single location and hence increasing risks of data breaches and cyber-attacks,” Udai S Mehta, Deputy Executive Director, Cuts International told Financial Express Online. The study, which surveyed around 1,300 users of data-led services and interacted with 40 experts in government, legal, service providers, civil society organisation and academia, added that experts were “sceptical of the state having adequate cyber-security experts and vulnerability proof digital infrastructure for securing personal data stored within the country.”
The experts also questioned the ability of law enforcement agencies in fighting cyber crimes even as they stressed on chances of government’s excessive tracking of personal data, said Mehta. The changes made to the data localisation provisions in the bill last year from 2018 included non-sensitive and non-critical personal data may not be stored in India from earlier requirement of storage of a copy all personal data in India. However, it may be difficult to separately store different types of personal data, said Cuts. Among other changes, the 2019 bill also expanded the scope of personal data to include online and offline features potentially increasing the scope of sensitive personal data and critical personal data.
The report also pointed towards the possible adverse impact on the availability of services and innovation as data localisation may enhance the costs of operation (due to the need of setting up data centres in India) to serve Indian consumers. This may impact small businesses as they may not be able to “justify with respect to their commercial interests, forcing them to pull out of the Indian market.” Hence, the government should “focus on enhancing consumers privacy by avoiding unjustified data access by third parties, pruning state exemptions, and making the government’s request for data subject to judicial review. (It should) combat data breaches and cyber-attacks, prescribe an effective grievance redress mechanism, and foster data-driven innovation,” the study recommended. It also suggested a separate policy to incentivise processing of data in India instead of forced data localisation.