Data localization and international policy
Clause 34 highlights governance over data transfers between different countries, giving exceptions to only certain allowances such as emergencies. By doing so, the ease of doing business with multiple entities1 situated in different countries becomes more complex, resulting in loss of opportunities for Indian businesses to compete on the global stage. United National Conference on Trade and Development (UNCTAD) estimates that roughly 50 percent of all trade services are enabled by technology, and there is cross border flow of data2. It is therefore important to note that such practices can cause difficulties for tech-enabled businesses. As a participant at the Data Privacy Conference explained:
“If we are building for privacy, why not build the infrastructure globally and holistically? The same infrastructure and architecture should be extendable to different countries instead of dealing with each country on a case-by-case basis. In our organization, we decided that we will take the best of the existing privacy laws and build privacy infrastructure for the most stringent of these regulations, and then enforce adoption globally. This helps us in the future because as more countries implement privacy laws, it becomes easier for us to comply with these laws.”
It is important for the law to take into account that for business entities that have already invested in compliance with international legislation, they should not be forced to incur huge financial pressures for compliance to the PDP because of vast differences between international regulations and PDP.
It is estimated that India will lose roughly 0.7-1.7% of its GDP3 if data localization practices were to be implemented. It is also important to remember that many smaller entities depend on cloud storage software for managing data assets and running infrastructure. All of these entities are internationally owned and globally recognized products. Harvard Business Review (HBR)4 states that over the last decade, global flows of goods, services, finance, people, and data have contributed at least 10% of world’s GDP, adding $7.8 trillion in 2014 alone. Similarly, the 2016 study by McKinsey[McKinsey] shows that 86% of tech-based startups they surveyed had some type of cross border interaction.
Based on the above observations, Clause 34 must be reviewed; closer observations of current and future digital infrastructure capabilities have to be taken into account.
Supply chains are not necessarily data localized. This creates problems, because adherence to data localization does not mean that all parties depending upon for data flows are not automatically compliant. ↩
Read the report by Indian Council for Research on International Economic Relations (ICRIER) here: https://icrier.org/pdf/Economic_Implications_of_Cross-Border_Data_Flows.pdf ↩
Cory explains in his paper that concerns of cybersecurity can be managed through means other than data localization, and shares estimates of overall financial losses for countries that implement data localization policies. https://www2.itif.org/2017-cross-border-data-flows.pdf ↩
Article link: https://hbr.org/2016/03/globalization-is-becoming-more-about-data-and-less-about-stuff
[McKinsey]:Summary of the study is published at: https://www.mckinsey.com/~/media/mckinsey/business%20functions/mckinsey%20digital/our%20insights/digital%20globalization%20the%20new%20era%20of%20global%20flows/mgi-digital-globalization-executive-summary.pdf ↩