Over the last couple of years, data localisation has become a hotly debated issue right from the time the Reserve Bank of India came out with its notification mandating ‘storage of payment system data’ within India. Subsequently, the proposed Personal Data Protection (PDP) Bill, 2019, also envisages a graded localisation regime for different categories of data.
While these regulative measures can be seen as ‘push’ options, Finance Minister Nirmala Sitharaman’s 2020-21 Budget announcements incentivising the private sector to set up data centres/parks across the country is an effort at ‘pulling’ entrepreneurs to develop an Indian market on data storage and processing, much in the same way as in the West. The issue is likely to gain fresh thrust in light of PM Narendra Modi’s recent call for Atma Nirbharta (self-reliance) as a measure to revive the economy in a post Covid-19 world. Together, these developments have the potential to propel the growth of India’s data storage and processing industry significantly, by unlocking new opportunities for domestic businesses.
On the flipside, studies have pointed out some possible adverse impacts of mandating data localisation by law (hard regulation) and/or disconnecting from global value chains and the impact on multiple stakeholders including MSMEs. Hence, a cautious approach needs to be followed. Problem areas: While data localisation may facilitate growth of data centres in India, along with its positive impact on national security, economic development, etc., a study by Consumer Unity & Trust Society (CUTS), a think tank, on consumer impact assessment of data localisation found that it may have an adverse impact on freedom of speech, privacy violations, data breaches and cyber-attacks, and most importantly on innovation.
This is largely due to an inadequate data security regime and data breach laws, weak compensation regime for data breaches and high compliance costs, particularly for MSMEs, start-ups, etc. Another CUTS study found that data localisation may have an adverse impact on India’s digital services export. One of the major factors behind India becoming a world leader in digital services export is uninterrupted flow of data across borders and favourable policies. Data localisation may add a regulatory compliance cost to the companies, particularly the MSMEs, and hinder the participation of domestic start-ups in global value chains, thereby affecting foreign investment and innovation in the country. In the PDP Bill, data has been categorised into personal, sensitive and critical data.
While there is no restriction on processing or storage of personal data, sensitive data must be mirrored in India and can be processed outside India. Critical personal data cannot, however, be processed or stored outside India though what is critical personal data has not been defined in the Bill and has been left to the Centre to notify later. This has brought the spectre of surveillance on citizens not just by government but even by foreign agencies and social intermediary data fiduciaries. Though the country is generating enormous amounts of data, it does not have the capacity to store them within its territory under the data localisation mandate and has a long way to go with regard to the availability of data centres in comparison to developed countries as well as its peers in the Asia-Pacific region.
Need a balanced approach: We have to understand that the data economy is a sunrise sector in India. Our data consumption has been rapidly increasing over the last few years. For example, within a month of the imposition of a countrywide lockdown due to the Covid-19 pandemic, data consumption in rural India witnessed an almost 100% jump. With an evident growth in data generation from increased business transactions through electronic means and supplemented by data localisation policies and laws, this is an appropriate time to incentivise local private players to establish data centres in India rather than creating a hard regulations regime. We should adopt a ‘regulatory sandbox’ approach including regulatory impact assessment.
By 2024, the data centre market in India is expected to generate revenue worth $4 billion. In order to handle this increasing data volume from data localisation, India would need to ramp up its data centres capacity by at least 15 times over the next seven to eight years. Though investments are coming in, there is still a need to remove regulatory hindrances. As much as 60 different permits are needed to establish data centres in India, which span 15 government departments. Similarly, issues such as uninterrupted power supply, quality and availability of brick and mortar infrastructure in land banks, expensive real estate and networking components also act as roadblocks.
The recent announcement by the PM of bringing in an ecosystem of ‘plug and play’ is the way forward.
It is important to understand that along with ensuring data access to law enforcement agencies for providing security as a public good and securing data of Indian citizens from foreign surveillance, the government’s move towards data localisation may be seen as a decisive and robust step towards making India the data services capital of the world by providing cheaper and more efficient options to corporates, banks and multinationals. It would help generate employment opportunities, and spur domestic innovation.
Rajya Sabha MP and former CAG bureaucrat with a PhD in management
Executive Director, CUTS International
(Kapil Gupta, Assistant Policy Analyst at CUTS International, has contributed to this article)