Understanding the data localisation debate in India
In 2016, Cambridge Analytica, the data-driven political consultancy, created a model that could effectively use the Facebook likes of its subjects and work backwards, filling in the rest of the columns in a spreadsheet to arrive at guesses about their personalities, political affiliations etc. These algorithms were then put at work for their clients, by profiling and deploying targeted content in over hundred election campaigns in 30 countries.
What is data localization? Data localization in the Indian context simply means that companies collecting critical data about consumers must store and process such data within the Indian borders. Prior to the Reserve Bank of India’s (RBI) announcement of a deadline in September this year, most data from India was not stored within the country. It was usually stored on a cloud database outside India. The call to localise sensitive data by the RBI convinced many companies like tech majors like Paytm, WhatsApp and Google to change their data storage locations to India by 15th October, 2019. However, currently there are no fines or penalties being imposed on non-complying companies.
Does data localization help avoid manipulation of data by third parties like Cambridge Analytica? One of the main arguments for data localization is concerned with the protection of personal and financial information of the country’s citizens from foreign surveillance and giving domestic governments and regulators the jurisdiction to ask for such data when required. In other words, it does not entirely cover the risks associated with third party data manipulation.
This shift only poses a new set of challenges; the bill's latest version introduces a provision empowering the government to ask a company to provide anonymized personal data, as well as other non-personal data, to help meet the targets of government service deliveries or for formulating relevant policies. Moreover, such an argument also assumes that maintenance of data internally is better than entrusting it to foreign entities, which has its own repercussions in this global world.
Voluntarily or involuntarily, we all are laying our trust on global service providers with more and more information, which is why we seek greater accountability from these firms about the end-use of such data. Data localization seeks to bring this within the jurisdiction of the government for better regulation. For example, where data is not localized, agencies must rely on Mutual Legal Assistance Treaties (MLATs) to obtain access and prevent delaying investigations.
What are some important aspects of the Personal Data Protection Bill? This bill encompasses several aspects. The Bill also sets out certain rights of the individual. These include the right to:
(i) Obtain confirmation from the fiduciary on whether their personal data has been processed
(ii) Seek correction of inaccurate, incomplete, or out-of-date personal data
(iii) Have personal data transferred to any other data fiduciary in certain circumstances
(iv) Restrict continuing disclosure of their personal data by a fiduciary, if it is no longer necessary or consent is withdrawn.
The other aspect is about the grounds for processing personal data. This Bill allows processing of data by fiduciaries only if consent is provided by the individual. However, in certain circumstances, personal data can be processed without consent. These include:
(i) if required by the state for providing benefits to the individual
(ii) legal proceedings
(iii) to respond to a medical emergency
The final aspect related to the transfer of data outside India. Sensitive personal data can be transferred outside India for processing if explicitly consented to by the individual, and subject to certain additional conditions. However, such sensitive personal data should continue to be stored in India. Certain personal data notified as critical personal data by the government can only be processed in India.
The Personal Data Protection Bill, was presented as a draft in 2018, prepared by a high-level expert group headed by the former Supreme Court judge B.N. Srikrishna. The bill, which was tabled in Parliament on December 11, has now been referred to a joint committee.
Justice B.N. Srikrishna’s committee which forms the basis of the report has notably recommended that the government bring in a law for the oversight of intelligence-gathering activities and the means by which non-consensual processing of data takes place.
Another clause is regarding the constitution of the Data Protection Authority of India, which is to monitor and enforce the provisions of the bill. It is to be headed by a chairperson and have not more than six whole-time members, all of whom are to be selected by a panel filled with government nominees. The Union Cabinet had cleared the Personal Data Protection Bill for introduction in the current session of Parliament.
Ever since the internet and communications made it possible to stream data across the globe and connected billions of people on a common platform, the scope of technological progress has been hard to comprehend in terms of its social, political and economic outcomes. But that does not mean we can deny its existence?
Today, a huge part of our lives is spent online, be it purchasing goods, initiating social movements and election campaigns or crowdfunding socially responsible activities. All of this happens along with a lingering threat that our supposed window to the world might just be a painting at the hands of machine learning and artificial intelligence tools. It is, therefore, important that citizens understand what data is, how we interact with it and keep abreast of data protection laws within our countries so that we better understand the impact of the present global scenario in protecting citizens’ privacy and information in this global world. To learn more about Data, please visit IT & BPM page
This blog has been authored by Kartikeya Saigal.