Apanel headed by Kris Gopalakrishnan to formulate the Government of India’s cloud computing policy has recently recommended that data generated in India be stored locally. With this move, the call for data localisation in policy circles has become ever more strident. The committee has, in a draft report yet to be made public, recommended a study to identify locations conducive for data centre infrastructure to ramp up cloud server presence in the country. In a data-rich, server-poor nation, the panel’s recommendations could well erect another pillar for what certain industry segments term an edifice of data sovereignty.
The regulator’s view
The finance sector received the first jolt in this direction when, in April 2018, the Reserve Bank of India came out with an ill-conceived notification under the Payment and Settlement Systems Act 2007. This notification observed that the ‘highly technology-dependent’ payment ecosystem needed ‘better monitoring’ and ‘unfettered supervisory access’ to data stored with system providers. The RBI’s pill for the same – a disproportionate and excessive mandate that ‘all system providers shall ensure that the entire data relating to payment systems operated by them are stored in a system only in India’.
There are many issues with this notification. At a conceptual level, it conflates data supervision with data storage or in simpler terms, the ends with the means. No consultative exercise was carried out to explore whether the same goals of effective supervision and monitoring could be attained through less excessive measures. The other glaring concern is the total absence of any informed reasoning to back the assertions in the notification. There are several reasons for organisations to locate their servers in certain regions, including weather patterns, disaster resilience, availability of domestic cybersecurity talent, stable power distribution, and reliable connectivity and continuous uptime. By impinging on this business autonomy, measures such as the RBI directive or proposals in the draft cloud policy render highly uncertain the carrying on of trade in the digital economy. When it comes to extolling the benefits of artificial intelligence or emerging technologies like blockchain, there is no dearth of exhortations from Indian policy makers to the effect that data qualifies as the new form of oil. However, when advocating localisation, they remain oblivious to the basic reality that those in the data business must then be free to organise their back-end data analytic and processing operations in ways that help them efficiently extract the most of such value. Using poorly-defined narratives of colonisation and sovereignty to shape economic regulations renders highly uncertain the sinking in of investments in any business model.
An unsatisfactory compromise
Some of these lapses are evident from subsequent exchanges between the Ministry of Finance and the RBI over this issue. The ministry has underscored RBI’s overlooking of data mirroring, i.e., local retention of copies even when primary data storage happens elsewhere, to address the problems highlighted in the notification in less burdensome ways. It has also noted the overbreadth of the restriction, suggesting instead a clear specification of the types of financial data that are subject to data localisation mandate.
But the drawback of such ad-hoc ministerial interventions, protective as they may be of legitimate industry concerns, is their poor fit with the larger enterprise of regulating new technologies and particularly the internet. Unlike other general-purpose technologies like electricity, or resources like natural gas, the internet is a fluid idea as much as it is a network of networks. The law does not merely regulate this physical network, but also constitutes and shapes the fluid idea. To clarify this point using another controversial theme, net neutrality is not only about whether differential pricing is possible for data access but also about the openness of the internet. In fact, we worry more often about the idea of openness being jeopardised rather than a few entities buying their way to preferential access, with the Facebook free basics episode serving as a prime example of the former kind of concern. In that case, civil society organised to stall a scheme that may have had significant benefits for wider internet reach simply because it would have presented a closed version of the medium to various social groups.
This point on the constitutive character of law is important for two different reasons. First, because it calls for a general form of decision- making on issues such as data localisation that determine the essential idea of what constitutes the internet and data transfers via this medium, rather than chequered regulatory interventions that players in the digital economy are currently subject to. And second, because any such generally applicable decision on this issue can then be critiqued for its impact on the very idea of the internet that we have come to accept and cherish. This is important when evaluating the new data protection bill, a product of deliberations by the expert committee headed by Justice Srikrishna, which proposes generally applicable data regulation across sectors for the first time. The draft bill amplifies the uncertainty problem highlighted here by providing for a category of ‘critical personal data’ that can only be processed in India. It leaves decisions on this category to the central government, unravelling the whole point behind moving toward generally applicable norms on data localisation.
None of the economic and social benefits highlighted by various committees as the rationale for indigenising the data ecosystem will organically take place in a regulatory climate that renders investments uncertain. Such uncertainty is a potential outcome of India’s present stance on data localisation, one that needs to be kept in mind by parliamentarians when voting on the draft data protection bill.