The policies implemented by the Justice Srikrishna committee clearly indicate that the conclusion to localise data came much before the reasons to localise were constructed.
The insistence in some government and business quarters that Indian data be stored in India is based on several premises. Some reasonable, others curious, and yet some quite bizarre. Let us examine each one of them in brief.
The first and perhaps the strongest reason is maintaining law and order. It is a very reasonable ask since many of the public order related incidents in recent months can be attributed to the viral power of the internet. In several cases, fake news, leading to potential harm, have been clearly identified. Little wonder that many of the platforms have been pestered for more and more information with limited success, frustrating both the platforms and the security establishment. Internet shutdowns have been frequent and quite arbitrary. The need for a more law-abiding set of businesses who share data with the authorities have been long felt, rightly or wrongly. Let us also confess that data businesses have not been very forthcoming about sharing data with law enforcement authorities.
The second reason that I heard was the argument that data needs to be shared for socio-economic good. This sounds a little curious, but the reason given is that the government needs data for better implementation of social programmes and statistics collection. Of course, one can argue that the state’s demand of data for surveillance often comes under the garb of social causes. But, let us not question the motives of the state just yet.
The third argument that is gaining currency is that data needs to be shared with start-ups so that they can have a level playing field in offering innovative services with large and often global data companies. This argument does touch a sensitive chord among many start-ups, and those more nationalistic among the establishment. It may make some sense in a very obtuse way but we shall still consider it very valid.
There are several other secondary issues which may not detain us here. Suffice it to say that the argument is simple and powerful: Data localisation is necessary because we need data companies to share more and more data with the ecosystem. The need for localisation emanates from the need for sharing, a very noble aim indeed.
On deeper examination, the policies that have been recently drafted or implemented by the ministry of commerce, RBI, the Cloud committee and most notably the Justice Srikrishna committee, clearly indicate that the need to share data is a post-facto argument to support data localisation. The conclusion to localise data came much before the reasons to localise were constructed.
It is for this reason that none of the above policies, as drafted, lays down any clear norms for data sharing with any of the constituencies. Let us consider data sharing with law enforcement which, perhaps, is the top most reason for data localisation. In all the policies/bills, etc., it is assumed that data localisation will automatically lead to data sharing. However, there is no law in the country that allows government entities “unfettered” access to “all data” to quote the RBI directive. In the past, we have seen how a messaging company was forced to get its servers in India and how, thereafter, no extra information could be extracted from their servers. Unless, of course, there was some extra-legal private arrangement about which we are not aware.
Sharing data for socio-economic development, too, is a very important reason. However, once again, in none of the policy papers is there any mention of how this is going to happen under the law. There is not even a casual mention of the intention in any of the policy papers cited above, including the comprehensive draft Privacy and Data Protection Bill.
Finally, the issue of sharing data with start-ups to promote innovation is cited as a powerful reason behind data localisation. Curiously, once again, none of the policy papers cited above makes any mention of how this is legally possible given the fact that under present law, corporate entities are free not to share commercial data with another corporate entity.
Given that the noble cause of data sharing is not just a fig-leaf, hiding darker motives for data localisation, would it not be natural for data sharing pathways with law-enforcement, socio-economic development agencies, and the start-up community to have been clarified up-front? Would it not have been expected for such pathways to be clearly defined in policy papers, given the sanction of law? In other words, the horse should have been placed before the cart. For India’s data policy to be consistent with the higher motives it claims, the pathways of data sharing must be embedded in policy before data localisation is proposed as a solution.
By- Subho Ray. President, Internet and Mobile Association of India (Views are personal)