Data localisation – the requirement that data be stored and processed physically within the territory of India – is not a term usually heard outside of the decidedly wonkish setting of digital policy conferences. However, it is now occupying column inches on the front pages of newspapers thanks to recent events, including the Reserve Bank of India’s notification on storage of payments information, as well as reports that it is one of the primary reasons [paywall] for the Justice Srikrishna Committee’s report on data protection being delayed. In order to understand why this is happening, we need to look at how India has approached this issue so far, the possible regulatory motivations behind the new moves, and their potential implications on industry and common citizens.

Which sectors already have data localisation requirements?

Surprisingly few. By far the most prominent is telecom, where telcos are required under their licence terms to store “user information” only in India. While the breadth of such information hasn’t been defined, this would presumably include call data records, internet browsing history, and even location (which telcos are required to record, independent of GPS, using a method called cell tower triangulation). That is undoubtedly a rich data set and it is received wisdom that allowing telecom companies to transfer this information outside India would pose a national security risk. The Indian government isn’t unique in this belief – countries such as Germany have similar restrictions in the telecom sector.

Apart from telecom, there are limited data localisations requirements in just a few other sectors such as insurance (details of policies and claims are to be stored only in India) and banking (where certain original records need to be maintained in India, though there is no bar on transfers of copies outside). Finally, there is a blanket requirement that government data, even when handled by third parties such as cloud storage firms, needs to be physically stored in India.

Overall, therefore, India has had a pretty stable and predictable regulatory framework when it comes to data localisation and, more broadly, the cross-border transfer of data. Until now.

What did the RBI do?

Citing the recent growth in the payments ecosystem in India, the RBI issued a notification requiring “payment system providers” to store all payments data only (emphasis mine) in India. “Payment system providers” includes a wide range of players including the National Payments Corporation of India (NPCI) which operates UPI, international card networks such as MasterCard and Visa, money transfer operators such as Western Union, and operators of pre-paid wallets such as Amazon Pay. (UPI, short for Unified Payments Interface, is a new payment system backed by NPCI that directly connects to a bank account.) While the term doesn’t specifically include operators of pure payments apps (without a wallet) such as WhatsApp Payments or Google Tez, the notification was widely worded and had implications for them as well.

The RBI notification was predictably met with strong opposition from many quarters and, in particular, has touched off a lobbying battle between US firms on the one hand, and Paytm on the other.

At the core of this debate is the motivation behind the RBI’s move. The text of the notification states that “to ensure better monitoring, it is important to have unfettered supervisory access to data stored with these system providers”. It is unclear, though, why this need cannot be met by requiring them to store a copy in India, as opposed to effectively prohibiting them from moving this data out of India. This lack of clarity has already resulted in the finance ministry pushing back against the RBI with exactly such a suggestion.

Srikrishna Committee and data localisation

The white paper that laid out a roadmap for the work of the committee raised specific questions for stakeholders about whether there should be a data localisation requirement for personal information. Its own analysis shows extensive data localisation requirements for personal information in only two countries: China and Russia, not exactly role models when it comes to online regulation. An analysis of some of the stakeholder responses to the committee’s data localisation questions shows them to be overwhelmingly against general data localisation requirements, particularly within the framework of a data protection law.

So why then is data localisation supposedly a sticking point in the work of the committee, with some reports stating that a “majority of the 10-member panel has expressed the view that… it will be in the best interests of the country… to ensure that key data of residents remains in India”?

Unfortunately, there is no reliable way to know, because of a lack of transparency surrounding the committee’s work, which has included not releasing stakeholder responses (as opposed to telecom regulator TRAI, which always posts them online promptly), and denying RTI requests for minutes of the committee’s meetings.

All of this can only leave us guessing at the motivations behind any possible move towards mandating data localisation.

Governments and data localisation

Some of the common reasons given by governments for data localisation include:

> Easier law enforcement access to data for the purposes of investigation and prosecution: This has been a bugbear of Indian security agencies for the longest time. The digital services that most Indians use are based overseas and the process to request information from the service providers has to contend with jurisdictional issues and the glacial pace of requests under the existing international treaty regime. The presence on the Justice Srikrishna Committee of the National Cyber Security Coordinator, who would speak for the entire national security establishment including law enforcement and intelligence, is one indicator that this could be a consideration. However, pushing through law enforcement objectives through a data protection law could be a fraught move. It would also be curious given that India has been fruitfully engaged in bilateral discussions with the US on this issue and the passage of the CLOUD Act in the United States should eventually make data sharing by US firms with Indian law enforcement much easier.

> Economic impulses, where a country believes it can spur the creation of data centres and associated jobs and infrastructure, by requiring local storage of data: This would be a short-sighted move, however, and there is no indication that this is a consideration. Moreover, for organic technical and commercial reasons, this trend is already accelerating, with Amazon, Microsoft, Google, and many other major players opening data centres in India in recent years.

> Protectionism, where ‘local’ firms are given a leg up through regulation that will impose a larger burden on ‘foreign’ firms: We are already seeing this play out in the case of the RBI’s payments data notification (perhaps inadvertently), with Paytm clearly lobbying against competitors citing national security concerns and touting the fact that they already store all their data only in India.

The difficulty of effective enforcement of data protection legislation, since extraterritorial enforcement of laws (for example, ensuring that a company in France storing data of Indians complies with Indian law): This is a genuine concern, but it’s worth noting that even the EU’s General Data Protection Regulation (GDPR), which is arguably the most comprehensive data protection law in force currently, does not mandate data localisation. While it does impose restrictions on cross-border flows of personal data in the event the receiving country does not have a strong enough data protection framework, there is no blanket requirement that personal information only stays within the EU.

> “National security” considerations, such as preventing data from falling into the hands of foreign intelligence agencies: The long-standing data localisation requirements in the Indian telecom sector are, for example, generally considered to exist for this reason. More worryingly, data localisation can be part of a strategy to maximise state surveillance, with deep implications for the civil rights of citizens in a country like India where intelligence agencies function with little oversight or regulation.

> Increasing tax revenues: Here, a country could potentially use data localisation requirements as part of a strategy to force internet companies to have a larger presence in a country and, perhaps, record more revenue. This could provide a basis (albeit a very disruptive one) to increase their tax liability and would interfere with the careful tax planning and corporate structuring of major global internet companies. However, India has for some time been pursuing a different, comparatively less disruptive strategy with respect to taxation of online services, including tweaks to both the indirect tax (service tax on Online Information Database Access and Retrieval services) and direct tax (introduction of the equalisation levy) regimes.

Data localisation versus the idealised internet

Data localisation is undoubtedly a nasty wrinkle on the face of the idealised conception of the internet as a borderless world. And though this idea of the borderless internet has lost some of its sheen in recent years, it’s hard to deny that it has been one of the main reasons for explosive digital growth. Online services can spread and scale across dozens of countries without having to set up physical infrastructure in more than a few. Plus, the ability to aggregate data and derive value from it is a key value proposition for many internet businesses, and data localisation jeopardises that model.

Major Indian startups such as Freshdesk, Ola, and Zomato, benefit from this borderless world which allows them to offer their services in new countries while still largely operating their digital infrastructure out of just one, with reduced infrastructure and compliance costs. There is an argument to be made that if India touches off a trend where major countries impose strong data localisation requirements, Indian startups could lose out in foreign markets against local rivals or deep-pocketed US and Chinese companies. A fragmented internet, or “splinternet”, is not a friend to permissionless innovation and would be at odds with the goal of India as a major digital power.

Where does that leave India?

A senior finance ministry official reportedly telling Paytm not to bring the national interest into a debate around data storage is just one indication that there is no policy consensus yet between the various wings of government on whether India should have more extensive data localisations requirements and, if so, what the rationale behind them should be.

The ministry of commerce, for instance, might have a strong view on this. Cross-border data flows are an important part of new multilateral trade treaties such as the Regional Comprehensive Economic Partnership (RCEP), and India introducing data localisation requirements could affect delicate negotiations. More broadly, strong data localisation requirements could eventually result in blowback in the international arena that could affect India’s IT services majors such as TCS and Wipro, which process huge amounts of personal data of foreign citizens. Separately, the ministry of electronics & information technology may have split priorities since it has a role to play in the enforcement of internet-related laws, but also has to promote Indian startups that benefit from a borderless internet.

This is a complex issue, with differing implications for various ministries, potentially serious business impact, and civil rights considerations. The Justice Srikrishna Committee and, more broadly, the government, would need rigorous analysis, a clear rationale, and internal consensus before adding data localisation requirements to new or existing laws.

---