-TV Ramachandran, Kartik Raja & V Sridhar
Amongst a host of recommendations concerning aspects of privacy and consent definitions, the report of the Justice Srikrishna Committee (JSKC) appears to be generating considerable debate and views around its Clause 40 on data ownership: Restrictions on Cross-Border Transfer of Personal Data, which states that:
(1) Every data fiduciary shall ensure the storage, on a server or data centre located in India, of at least one serving copy of personal data to which this Act applies;
(2) The Central Government shall notify categories of personal data as critical personal data that shall only be processed in a server or data centre located in India.
While the clause has sparked heated discussions on what constitutes critical, personal and who decides, this article does not deal with these aspects. We, instead, focus on the recommendation of “processing and storing” of data in India—where there appears to be confusion between data residency or storage and control of data.
Incidentally, it is heartening that a host of governance initiatives like eMudhra and also several private applications are currently being developed on ultramodern distributed ledger (popularly known as blockchains) and edge-computing technologies. By their very definition, such technologies work on global chains of storage where data can reside in any part of the world but access is granted only to those with requisite permissions. These cutting-edge fields could place India on par or even ahead of other advanced countries in delivering efficiencies to its citizens and its economy. However, implementing the JSKC data storage recommendation is tough as law could negate these beneficial possibilities and, in fact, cause serious consequences, as Indian companies working on such technologies (including the government) would be disadvantaged significantly since they would need to create India-specific private blockchains. Not only would such private chains add onerous costs and huge time delays but would also be unnecessary due to the technologies prevalent today.
In this context, it is interesting to note the example of the tiny nation of Estonia, which has rolled out a technology called Keyless Signature Infrastructure (KSI) to safeguard all its citizenry data. Essentially, KSI encrypts all the data and stores the encryption keys in a blockchain distributed across across a national network of government computers. Actual storage of the data can thus be anywhere in the world, as per efficiency dictates.
Estonian government officials can monitor changes within various databases, such as who has made changes to a record, what kind of changes are made, and when they were made. The electronic health records of all its citizens are currently managed using this technology, and the country is planning to make it available to all government agencies and private sector companies in the country.
A brick-and-mortar analogy to such initiatives is bank lockers. Instead of focusing on where the lockers are, focusing on ownership of locker keys provides for all the control and protection needed by the parties concerned. We have cited the example of Estonia and KSI only to stress the point that the place of storage of data does not automatically guarantee access, control or security.
The implications of JSKC’s technologically-challenged recommendations could be significantly disadvantageous to India’s data ambitions. For example, the economics of data centres and storage has power and land accounting for greater than 75% of the costs. Countries that are more efficient in these aspects will hold the competitive edge in storage. Mandating companies to store data in India-specific data centres or country-specific blockchain would affect efficiencies across sectors. Be it the long-suffering agriculture sector where the NITI Aayog plans to use blockchain to track soil-testing data or the beleaguered banking sector that is forced to store information on India-based data centres, transaction costs will go up across the board and inefficiencies will consequently get passed on to the common man.
The NITI Aayog is expected to shortly release its paper on IndiaChain. We are confident it will clarify the advances made in technologies like blockchain and provide a mechanism for secure storage of encryption keys in a country-specific set of servers. Adding this to the IndiaStack like eKYC and UPI will not only protect the privacy concerns of our citizenry including Aadhaar, but also encourage rapid adoption of blockchain-related projects at scale. There is a clear potential for public policy to position India at the forefront of blockchain advancement, while European nations are still at a nascent stage of signing declaration of cooperation of European partnership.
Such a distributed IndiaChain, developed and run cooperatively by technical institutions, government and relevant independent organisations, can also federate the responsibility and accountability of maintaining privacy and security of personal information of data subjects, which is one of the serious concerns of the Data Protection Bill.
It must be noted that such in-country stored encryption keys not only “protect” but also “control” insofar as data can be retrieved should there be a legal need to do so. (Solutions like India-specific encryption key storage on blockchain are distinct from the proprietary dynamic encryption safeguards incorporated directly by some global firms.)
Finally, such structural recommendations will do away with the ill-conceived notions of assuming locations of data storage being the only way to control and protect data privacy. Such a structural approach is needed to make the Indian elephant dance to the tunes of innovation and new technologies.
-Ramachandran is President, Broadband India Forum, and Honorary Fellow, IET (London); Raja is CEO, Phimetrics India Ltd; and Sridhar is Professor, IIIT Bangalore. Views are personal