India’s Data Localization Efforts Could Do More Harm Than Good
In April 2018, India’s central bank—the Reserve Bank of India (RBI)—issued a new rule for payment systems providers operating in the country. Under the rule, all user data collected within the borders of the country needed to be localized within six months. The RBI said it was motivated by the need to have “unfettered supervisory accesses” to such data, given the fast-growing and increasingly technology dependent payments ecosystem in India. This new data protection rule is just one part of a larger set of multi-sectoral data protection and privacy measures being considered by India, put forth in a contentious draft Personal Data Protection (PDP) Bill in July 2018. The draft PDP Bill is expexted to be introduced to Parliament this summer after the Lok Sabha elections in India in May 2019.
India’s move toward data localization, while timely and justifiable given numerous global data breaches and privacy scandals, is largely ineffective in protecting user data. The benefits do not outweigh costs. Higher infrastructure and compliance needs will increase operating costs for foreign companies, with potentially serious effects for India’s overall economy and foreign direct investment (FDI).
In India, digital payments are primarily supported by foreign companies such as Visa, Mastercard, and American Express, which facilitate nearly half of Indian debit and credit card transactions. According to the RBI, in 2018 alone India had 41 million credit cards and over 980 million debit cards, resulting in payments of $6.9 billion with credit cards and $46.5 billion with debit cards. The dominance of foreign companies over this kind of growth and vast consumer base is what prompted the RBI to put in place security measures on a “continuous basis to monitor the digital payments ecosystem.”
During the six months given to meet the RBI’s data localization requirement, both domestic and foreign companies operating in India struggled to understand how to comply with the new policy. By the mid-October deadline, around fifteen of the seventy-eight payment systems companies in India had not yet met the RBI’s requirement to start storing Indian user data within the borders of the country. Many sought extensions to comply and gave the RBI a defined plan on how they would meet the requirement. Moreover, while the policy had ample domestic support, both foreign and domestic business entities and foreign governments argued that this was an unnecessarily protectionist measure that would be detrimental for the economy. In late October 2018, Visa and Mastercard started storing Indian transaction data at technology centers in India, while still seeking relaxations of the rule from RBI on past data. As recently as January 2019, Truecaller became one of the first international technology companies to store its Indian users’ data locally.
Requiring financial data localization will increase costs for firms operating in India as they set up data storage and processing infrastructure in the country and potentially lose their economies of scale in data analytics. Firms may choose to pass on some of the increased costs to their customers, making their services in India more expensive. In terms of economic cost, the European Center for International Political Economy found that if the European Union (which is one of India’s top trading partners) imposed data localization standards as strict as those that India is proposing in its draft data protection legislation, the EU would lose over €50 billion annually, or 0.5 percent of its entire gross domestic product per year. If similar calculations are assumed for the Indian economy, the current draft Personal Data Protection Bill could cost India nearly $8.4 billion annually.
The RBI’s move could also impede freer trade and commerce, given that digital trade is fast becoming a central feature of modern commerce. In mid-October, US Senators John Cornyn (R-TX) and Mark Warner (D-VA), co-chairs of the India Caucus in the US Senate wrote to Indian Prime Minister Narendra Modi arguing that India’s move toward data localization would be detrimental to US businesses operating in India and counterproductive to India’s efforts to modernize its economic framework. The US ambassador to the World Trade Organization has previously called for banning data localization around the world altogether. Members of the Data Security Council of India also wrote that mandating localization could become a trade barrier.
Key international markets for Indian industry could mandate similar barriers on data flows to India, which could disrupt the booming information technology and business process outsourcing industries in India. NASSCOM, a trade association of the Indian information technology and business process outsourcing industry, believes that startups from India going global may not be able to leverage global cloud platforms as a result of this policy and could in turn face similar barriers as they expand into new markets.
There are alternatives to forced data localization that Indian regulators could pursue to protect the overall privacy and security of Indian user data and governments can more easily investigate digital frauds and crimes without resorting to data localization. In India’s case, while data localization to domestic data centers ensures data stays physically within India, it does not mean that the data is any more protected from cybercrime. According to Allied Startups, a Brussels based advocacy group, data security and integrity is best provided through encryption and clear legal frameworks.
Data localization, meanwhile, splinters the Internet, which is meant to enable centralized data storage and processing, taking advantage of economies of scale and a seamless, interconnected global Internet. As a result of this splintering, web service providers are unable to access this global infrastructure without restriction, ultimately undermining data security. Moreover, the location of a data center within India’s borders does not entitle law enforcement agencies to have better access to the data held at these data centers. Access to the data depends on who has custody, control, and possession of the actual data—which may not lie with the local data hosting facility, despite its physical presence in India. Many anticipate that India will also need a central regulatory body that can effectively enforce the new regulatory framework proposed in the draft Personal Data Protection bill.
The EU, which was successful in passing and enforcing the world’s first data privacy law, the General Data Protection Regulation (GDPR), described India’s overall data localization requirements in the draft Personal Data Protection Bill as “unnecessary, harmful, and likely to have negative effects on trade and investments.” The GDPR does not have any forced data localization requirements and offers flexible tools to different business models and transfer situations. The EU indicated that if legislated, the provisions of India’s draft Personal Data Protection Bill would hinder data transfers and complicate commercial exchanges, including in the context of EU-India bilateral negotiations on a possible free trade agreement.
The move toward data localization poses a threat to India’s existing bilateral trade relationships and its commitment to economic liberalization. It also risks market access for many to one of the world’s fastest growing economies. While Indian policy makers are justifiably trying to protect Indian citizens’ data, these moves offer little protection at a severe cost.
Kalika Likhi is a policy intern for the US-India Strategic Partnership Forum (USISPF) in Washington. She has previously worked with the Atlantic Council’s South Asia Center on the US-India Trade Initiative.