The recent ban on 59 apps by the Indian government amidst political tensions between India and China marks the watershed moment of ‘data nationalism’ in the cyberspace. The requirement for all firms that provide services through these apps to prove that data is not exported out of the country, often referred to as ‘data localisation’ measures, has implications on cross-border data flows and digital trade.
As pointed out by Christopher Kuner, professor of Law at the Vrije Universiteit Brussel in Belgium and an expert on privacy and data protection, ‘data nationalism’ is not just a short-term political phenomenon, subject to ebbs and flows of protectionist sentiments, but the expression of a profound unease with the last few decades of increasing globalisation due to the ubiquitous and omnipresent internet. Although data nationalism has been in existence in parts of the world since the 1970s, the Snowden and Cambridge Analytica episodes have prompted even democratic countries (notably Brazil, Germany and India) to undertake data localisation measures, including regulations and rules on storing data within the territorial jurisdiction of the country.
According to a recent study by the European Centre for International Political Economy, China, Russia and Turkey are the infamous toppers in terms of data localisation restrictions; with India lining up with the UK and other European countries in the category of lesser restrictive ones; and the US amongst the group of countries that are least restrictive. What do these forms of data localisation restrictions mean for all the stakeholders, namely consumers, app firms (aka data fiduciaries) and the government?
App firms, obviously, are not pleased. Although the immediate reactions of Chinese firms are not pronounced, a similar directive from RBI, on April 6, 2018, mandating localised storage of all financial transactions within India evoked strong negative reactions from global fintech firms such as Amazon Pay and Google Pay, citing increased costs, and possible deterioration of security and quality of services.
Consumers have a mixed reaction. Some of the TikTok stars who currently have thousands and even millions of followers and hence have massive network effects need to start all over again if they have to move to alternative platforms. Consumers of e-commerce sites such as Shein complain about reduction in their purchase choices.
The government, as clearly stated in the notification, intends to protect sovereignty and national security by mandating data localisation. Is there any silver-lining to this?
As the ban is imposed, Indian start-ups such as Chingari have upped their ante, indicating they are well positioned to replace Chinese apps. There is some evidence that stricter restrictions on cross-border data flow provide advantages to local firms to serve their clientele better in terms of both price and quality. Our own research indicates that the data compliance costs imposed due to the data localisation rules increase cost and reduce the quality and features of services provided by global firms to their consumers in those regions. However, local firms tend to benefit and often compete well in garnering the market share of their local consumers. This effect is more pronounced especially in countries such as India that have a large potential consumer base. This leads to consumers clustering around their local producers of services, and often have limited choices for purchase.
Governments that propose data localisation measures cite that restricting personal information, emails and other forms of data from leaving the country would prevent foreign surveillance of their data subjects. However, data fiduciaries argue that data localisation provides local governments easier access to data of her residents. Data localisation may give domestic intelligence agencies of the home country increased data collection powers over their residents’ data through even coercion of residents.
Data localisation has its advantages and disadvantages. The way forward is for internet firms and governments to be transparent and respect the data protection and privacy laws of data subjects both in letter and spirit. Firms often deviate from privacy policies and become non-compliant if there are no stringent penalties. It’s time India enacts the data protection Bill to enforce lawfully the property rights of our residents and penalise deviators, be it firms or governments.
The author is a professor at IIIT Bangalore