Cross-border flow is the basic life-blood of data. When information is isolated, it loses its potential to become knowledge and becomes increasingly vulnerable to breaches. Moreover, India might currently not even have the infrastructure to store its own data.More often than not, data is jeopardised by inadequate supporting infrastructure rather than malevolent threats.
A key issue on which India needs to make a decision is the approach to cross-border data flows. The ability to share and process data at lightning speeds is almost as important as the existence of the data itself.
It is remarkable what information can achieve when collected and processed at a large scale. With the growth of 21st-Century technology, these possibilities have grown. For instance, because data can flow at unprecedented speeds, centres can analyse trends in real time and provide insights that guide behaviour. Consider Google Maps, a software that collects information on a global scale, through remote sensors and can instantly count for changing directions, congestion, and solve to the minute for how much longer it will take from point A to point B. The sheer utility of Google Maps has made it essential to how we function on a daily basis.
Just like Google Maps impacts the individual, sets of big data drive behaviours of industry and, indeed, entire sectors. A key reason for why this model is able to function so efficiently is the nature of data. As a commodity, data can be shared at lightning speeds while managing costs. In the contemporary world, collecting and sharing information has become more easier and more effective than at any point in history. It is a result of this that we have made our progress into “Industry 4.0”, and it is the driver that will help us bring about this revolution.
However, this progress cannot be achieved without the freedom of accessibility that data aggregation requires. Pieces of information kept in isolation are not nearly as useful or efficient in comparison to what they can do together, when combined and consolidated — the whole is greater than the sum of its parts. When data is allowed to exist without borders, it has the added benefit of keeping costs down and allowing companies to spread out globally. Any curbs on this ability can have negative side effects for industry and the billions it benefits around the world.
Unfortunately, that is a possibility India has been considering over recent years. Data localisation is the idea that data should be ‘localised’ or confined to national borders. Measures to achieve this can vary in their degree of severity. If considered in its most stringent form, localisation can prohibit data to leave national borders (generally there is a provision to make exceptions for special circumstances). When relaxed, localisation requirements might ask for companies to meet security adequacy standards when keeping an updated copy of the data domestically.
This brings us to the broader question of why localisation measures in India are on the rise. The Reserve Bank of India released a circular early last year that called for localisation in the payments sector while a special committee, formed for designing recommendations on data protection, suggested localisation methods.
Localisation is a trending topic in the Indian data space. So let us take a moment to examine why the government is taking the stance it is. The arguments presented in the central bank’s circular and the White Paper released by the Srikrishna Committee essentially boil down to the need for access rather than storage of data. Unfettered access to data is supposed to translate into more effective law enforcement. Localisation then is a method to enable this need for access. In addition, it would also protect India’s data from malicious foreign entities.
While ensuring security and ease of access for Indian data is paramount, localisation might not be the best means to achieve that end. Because of the very nature of data, the physical location of where it may be stored does not govern who has access to it. There are different zones of jurisdiction depending on who the data belongs to. For instance, just because Facebook’s data centre might be located in Bangalore or Hyderabad, does not make it property of the state or federal government(s). Moreover, even if placing the centres in India would somehow protect them from foreign surveillance (the fears are justified after Edward Snowden’s leak), it would render them more vulnerable to domestic threats. Moreover, more often than not, data is jeopardised by inadequate supporting infrastructure rather than malevolent threats. For example, a study by the Leviathan Security Group stated that in 2011 data was compromised because of a slow water drip in a nondescript office building in the Canadian city of Calgary. The lack of adequate infrastructure set off an explosion that caused days of computer outages for hospitals, ambulances, radio stations, taxis, and criminal justice facilities around the province. It is not easy to source and maintain the infrastructural requirements of data centres. Not only do they need to be completely free of even seemingly minor dysfunctions such as water drips, data centres also need massive amounts of resources — electricity and water — to function. India might not have the infrastructural capacity to meet the requirements of setting up and maintaining data centres. A large percentage of Indians do not have access to electricity and there is an impending crisis for water.
So, India still has a long way to go before it can meet the infrastructural requirements for setting up data centres of its own. Ultimately, for India, and for the sake of the larger narrative, localisation is not a means to achieve better data security. What it will do, instead, is increase costs for the industry while making global organisation tougher to manage. Curbing freedom of movement for data will impact the ability to progress, innovate, and allocate resources, while sullying the experience for the end user, the people.
It should be noted that localisation was a key mandate of the BJP government before the elections. There is widespread belief in the government that localising Indian data is the way to go. It complements the current administration’s ‘India First’ message. However, as far as cross-border data flows are concerned, localisation might not be the tool that helps India in the long or short term. With the reelection of the BJP, there is no reason to believe that the approach to cross-border data flows is likely to change. We can presume that the draft e-commerce policy, data protection bill, and the RBI circular will all enforce their version of localisation.
The question is whether it will actually help keep data secure while harnessing the potential we know it possesses. As most experts on big data and AI will tell you, when it comes to data, it is always better to let it roam free.
The article was first published in The Hindu. Views are personal.