Does data have nationality?

The data localization debate expands to include a new question—should the origin of the entities handling personal data of individuals matter when deciding their rights over processing the data?

Does data have nationality? - CIO&Leader

It is almost a new battle line.

Beyond cross-border flow of data, Ambani’s pitch raises a new question—if a distinction should be made between a foreign company like Facebook or Google and an Indian company like Jio or Airtel when it comes to their collection and use of personal data.

“In this new world, data is the new oil. Data is the new wealth. India’s data must be controlled and owned by Indian people ─ and not by corporates, especially global corporations. For India to succeed in this data-driven revolution, we will have to migrate the control and ownership of Indian data back to India ─ in other words, Indian wealth back to every Indian,” said Mukesh Ambani, the chairman of Reliance Industries, India’s largest private sector company and the richest Indian businessman.

Not that the issue is new. Neither is Ambani’s reaction. He has repeated the statement quite a few times, using exactly the same words – data is the new oil—starting way back in 2017. His Reliance Jio too argued for prohibiting cross border transfer of data, as in the case of Aadhaar, in response to the paper Recommendations on Privacy, Security and Ownership of the Data in the Telecom Sector released by telecom sector regulator, Telecom Regulatory Authority of India (TRAI) in August 2017.

“We submit that it is imperative that cross border transfer of sensitive data be prohibited by promoting localized hosting of personal data in India as is being done in the case of Aadhaar data. We reiterate the risk of all the regulations being rendered futile if operators are able to transfer data outside the country as then the local authorities / regulators will have little jurisdiction,” it had submitted. Since the responses to the Government’s draft privacy bill and the discussion paper on the subject issued before that are not public, it is not known what stance it took.

But the importance given to his statement this time is far bigger because of two reasons.

One, the platform this time was far bigger. It was not a telecom industry conference or a Reliance meeting of shareholders. He was speaking at the Vibrant Gujarat Summit, attended by who’s who of businessmen and NRIs as well as top politicians, including Prime Minister Narendra Modi, to whom goes the credit of starting this summit during his tenure as the Chief Minister of Gujarat.

And it was not just another statement media decided to play up. It is the point with which he concluded, addressing it specifically to the prime minister,

Honourable Prime Minister, I am sure you will make this one of the principal goals of your Digital India mission,” he said.

And the issue he was highlighting was not about a technical one like cross-border transfer of data. The platform was way too big for that. It was about Indian vs non-Indian corporates. By playing to the nationalism pitch, he was taking the battle to another level. If his ‘especially global corporations’ left some scope for interpretation, that was removed by his strong words like ‘colonization’.

Ambani compared it to Gandhiji’s satyagraha against British colonization.

“Gandhiji led India’s movement against political colonisation. Today, we have to collectively launch a new movement against data colonization,” he said while using it as the reason to make the recommendations.

By playing with words like ‘colonization’ and ‘global corporations’, he was trying to draw a line between Indian companies and non-Indian companies. For example, cross-border data transfer can be done by an Indian company and a non-Indian headquartered company can well have a datacenter in India, as is being done in banking sector, following a mandate from the regulator Reserve Bank of India.

But by raising the nationalism pitch, he was giving the issue a much wider dimension. While appealing to regulators and policy makers could be the explicit stance, it was, in some way meant for Indians in general – should they trust Indian companies more than the non-Indian companies? In the age of wearing nationalism on your sleeves, it is, if not anything else, a good marketing proposition.

Few people reacted on social media except for regular jokes and humour. That is because all media headlines highlighted the data-is-the-new-oil part which sounded a progressive, ‘trends’ kinds of observation and was taken as a normal good news headline. 

But many championing citizens’ right over data were not amused. Tathagata Satapathy, the MP from Odisha, who had argued for attaching a commercial value to the personal data and citizens being paid directly for usage of their data, in his now famous August 2017 Times of India centrepiece, If Data Is The New Oil…, was quick to clarify that there is no difference between Indian and foreign companies.

“All I've been saying is if any one (be it Indian corporate or overseas entity, no difference) uses individual’s (yours or mine) data, it must be a commercial deal between subject & user. Pay us for our data used. Stop cheating citizens,” he tweeted quoting a news item about Ambani’s proclamation.

The two elements of the debate

There are two dimensions to this whole debate.

One is a well-known, well-discussed issue of storing data in the citizen’s own country and having some restrictions on the flow of data outside that country. Known as data localization and cross-border flow of data, these two issues are not exactly the same but are often hyphenated. Almost all regulators are sensitized to the issue, have discussed it thoroughly and tried to address it, though the exact stances may vary from one regulation to another.

EU’s General Data Protection Regulations (GDPR)—the most well-known data privacy regulation that started this big debate globally on data privacy—deals with it in articles 44-49. Article 44 of the GDPR, which came into effect in May 2018—prohibits the transfer of personal data beyond European Union/European Economic Area (EU + Iceland, Norway & Liechtenstein), unless the recipient country can prove it provides adequate data protection. The rest of the articles provide detailed conditions.

Nigeria, Russia and Indonesia have stringent local data storing requirement while China too insists on it generally.

In India, the Reserve Bank of India, in its regulatory guidelines, has mandated that all banking related data must be stored in India. Even its newer payment systems guidelines too mandated that all payments systems data must also be stored in India.

In fact, in April 2018, RBI issued a warning and directed all the payment systems operators to comply to data localization requirements within six months.

“It is observed that at present only certain payment system operators and their outsourcing partners store the payment system data either partly or completely in the country. In order to have unfettered access to all payment data for supervisory purposes, it has been decided that all payment system operators will ensure that data related to payment systems operated by them are stored only inside the country within a period of 6 months,” the RBI notification said. 

The Ministry of Electronics & Information Technology has also mandated that all government departments using cloud too should store their data within India.

Beyond this, there is no enforceable regulation today that restricts cross-border flow of personal data. However, the draft Personal Data Protection Bill, 2018, released in September last year, has a whole chapter dedicated to Transfer of Personal Data Outside India. Clause(1) of Section 40 of Chapter VIII states that every data fiduciary (the entity that determines the purpose and means of processing of personal data) shall ensure the storage, on a server or datacenter located in India,of at least one serving copy of personal data. Clause(2) requires that ‘sensitive personal data’ should be processed in India.

TRAI, in its recommendation, took a middle line of suggesting a case-by-case approach, which may be difficult to execute. It too said that some sensitive personal data should be required to be stored in India.

But what gives a good overview of the positions taken on this is the submission by various companies and groups, especially commercial entities and their industry bodies.

Reliance Jio submitted that TRAI should put in place measures to curb cross-border transfer of data by mandating localized hosting of data. Quoting laws in various countries in this regard, the Jio submission said that in the interest of national security and customer data privacy, the guidelines for data protection should provide for data localization for sensitive data.

IBM, on the other hand, said that the free flow of Data is fundamental to the health of the modern global economy. “Many existing regimes reflect the need to preserve multiple approaches to cross-border data transfers without weakening privacy safeguards and India should take inspiration from these approaches,” it said.

It said the movement of data across borders is imperative for today’s global economy and data localization requirements not just disrupt the free flow of data; they are incompatible with the Internet’s distributed infrastructure that enables optimal system architecture while stressing that the security of data does not hinge on the national boundaries of where such data resides; and

It also warned that “data localization requirements create barriers to market access, particularly impacting small- and medium-sized enterprises, which are eager to attract customers not only domestically, but also in foreign markets”

As expected, both NASSCOM-Data Security Council of India (DSCI) and US India Business Council opposed curbs on cross-border flow of data.

USIBC warned that any measures to restrict international data flows of Indian citizens could produce a backlash among key commercial partners as India, via its outsourcing business, handles private data of citizens of many other countries, including financial and legal information processed as part of back-end offices and third-party outsourcing contracts. “A data protection framework that facilities cross-border data flows will enable business of all sectors and sizes to reach new customers in foreign markets inexpensively and manage relationships with foreign clients,” it said in its submission.

NASSCOM too feared the possibility of backlash. “If similar policy directions are followed by other countries, it will severely hit established Indian IT-BPM industry sector including the emerging cloud industry which is major contributor to the Indian GDP,” it said.

Its stance was subjecting organizations to the requirements of data/infrastructure localization will prove to be counterproductive.

However, the response was not always on ‘nationalist’ lines. An ‘Indian’ Airtel said “principally, there should not be any distinction over the accountability of the concerned stakeholders if the data is flowing within the country or outside the country. Entities sending the consumer data abroad should continue to remain liable under Indian law for action taken by the foreign handler of this data as they would have remained liable for Indian entities in similar situations.”

Citibank suggested rules/directives regarding flow of data to countries that do not provide adequate data protection, along the lines of GDPR.

However, beyond cross-border flow of data, Ambani’s pitch raises a new question—if a distinction should be made between a foreign company like Facebook or Google as compared to a Jio or Airtel regarding their collection and use of personal data of individuals.

It could raise a number of questions:

  • First and foremost, is it fair and in sync with global trade agreements?
  • What about perceived Indian companies with significant foreign-ownership like Flipkart and Snapdeal?
  • What about its possible conflicts with data localization requirements? If an Indian company decides to send the data outside borders, will it be allowed even while not allowing a foreign company storing and processing data in India?
  • Of course, as NASSCOM and USIBC raised, what if there is a backlash?

There is increasing realization that privacy and protection of personal data are important. As India braces a stringent privacy laws, the draft policy is already being criticized for distinguishing too much between a government entity and a private entity, which is not there in regulations like GDPR. An Indian-non-India dividing line could well be another controversial distinction.

Read the CIO&Leader January 2019 Issue


Add new comment