What is Data Localization?

Data localization is the act of storing data on any device that is physically present within the
borders of a specific country where the data was generated. Free flow of digital data, especially
data which could impact government operations or operations in a region, is restricted by some
governments.
Due to the transient and pervasive nature of data on the internet, its security is constantly
threatened and indeed been breached at several instances. Data localization is a measure
adopted to give countries increased control over the data belonging to their citizens and
residents in the interest of enforcing data protection regime set by the country and to secure the
critical interests of the nation state. This is achieved by encumbering the transfer of data across
national borders – including through rules preventing transmission of data outside the country,
requiring a copy of the data to be stored within the country or tax on export of data, and
enforcing applicable laws of the country vis-à-vis data security.i
Need for Data Localisation
For securing citizen’s data, data privacy, data sovereignty, national security, and economic
development of the country. Much of the data from online sales, on ecommerce platforms is
likely to be hosted and stored in US data firms. The extensive data collection by technology
companies, has allowed them to process and monetise Indian users’ data outside the country.
To curtail the perils of unregulated and arbitrary use of personal data. With the advent of cloud
computing, Indian users’ data is outside the country’s boundaries, leading to a conflict of
jurisdiction in case of any dispute. Data is a digital transactions footprint. During war or
hostilities, data centres could be switched off. Such scenarios are pushing countries towards
local infrastructure.ii
The Purpose of the Draft Bill
The government constituted a committee of experts under the headship of Justice B.N.
Srikrishna which has issued a report (Srikrishna Report) iii and the draft Personal Data
Protection Bill, 2018 (the Draft Bill). ivThis follows the Supreme Court’s emphatic declaration
of a fundamental right to privacy and the importance of a data protection framework in India.v
One of the notable proposals in the Srikrishna Report is the requirement that companies have
to store certain categories of user data on Indian territory. The Draft Bill envisions that the Data
Protection Authority (DPA) that will specify categories of data that will be required to be
hosted locally. In addition to this broad restriction, it is proposed that a serving copy of all
personal data will need to be made available in India. And the Data Protection Authority’s
approval will be required for all cross-border transfers of data pursuant to any contractual or
inter-group arrangements.
The citizenship of the data principal i.e. to whom the data relates is the basis for jurisdiction in
the Draft Bill akin to the European Union’s General Data Protection Regulation (GDPR). This
principle seeks to overcome the limitations of territorial jurisdiction given the ubiquity of the
internet and data. The localisation requirement which is absent in the GDPR is contradictory
to this approach to jurisdiction. The localisation requirement pre-supposes that territorial
jurisdiction over data is a sine qua non for enforcement. This inherent contradiction dilutes the
uniquely Indian fiduciary jurisprudential approach to privacy mooted by the Srikrishna Report.
The Reserve Bank of India (RBI) in April this year required that all payment data be stored
only in India by payment gateways. The RBI notification is remarkable in its candour,
admitting that the objective behind the move is “to ensure better monitoring, it is important to
have unfettered supervisory access to data.” vi This provides a sense of the government’s
approach to data once it is localised.
The Srikrishna Committee avowedly stayed away from surveillance reform. This, however,
cannot be reconciled with its localisation proposals. vii Admittedly, in certain circumstances, it
is in the public interest for the state to have access to data. The Cloud Actviii in the United States
provides an alternative to the unsatisfactory status quo of the Mutual Legal Assistance Treaty
framework. There appears to be no consideration of using that mechanism to address the issues
of legitimate government access to data by the Srikrishna Committee. This could realign
India’s security needs with the cause of an open and fair digital economy. The Draft Bill instead
seeks to by the slight of a heavy regulatory hand impose these restrictions which is government
usurpation of sound commercial decision making.
The internet permits the market to benefit from efficiencies and multiply value creation. It
connects the user base to the most efficient site for storing data. This is the economic rationale
for a substantial portion of the world’s data being stored in seven countries. This is not to say
that India must not focus on domestic capacity building. That objective however will only be
achieved by the availability of infrastructure and a conducive policy framework.
The global standard of regulation has been crystallised by the European Union in the GDPR.
The GDPR regulates cross-border data flows in two ways. The adoption of standard contractual
clauses. Secondly, declaring certain jurisdiction has having adequate legal safeguards where
data may be freely transferred. It does not adopt an inflexible rule that certain categories of
data are required to be stored in Europe alone. The Srikrishna Committee is cognisant of this
prudent approach given the inclusion of a similar requirements in the Draft Bill. The Draft Bill
however adds another layer of red-tape by requiring that any transfer arrangement has to be
approved by the DPA. This binds down businesses where data flows and synergies constantly
change, with bureaucratic delays.
The requirement of retaining one “serving copy” of all personal data collected within India is
shrouded in mystery. The Report uses the word “live” to describe this copy of data.ix The Draft
Bill however has curiously left that element out. Compliance with such a provision requires
specific details if the regime is to be meaningful at all. Irrespective of the merits of this
proposal, the scope of such obligations need to be in clear and technical terms.
The localisation proposals severely compromise the ability of the digital economy from
benefiting on its efficiencies. It further creates a barrier to market entry that will potentially
isolate India from new innovations in the internet space. One must be wary of regulation
replacing commercial decision making in a market economy. This even more crucial for the
technology and internet sector where change is the equilibrium.
Arguments against Data Localization
Safety of the datax: The irony of the enforcement argument is that restricting service providers
to use the infrastructure within a limited geographical territory increases the threats to data
security. This is because the internet enables centralized data storage and processing, taking
advantage of economies of scale and a seamless, global internet. If, web service providers are
unable to draw on the infrastructural architecture across the world, then the argument of data
security and by extension data enforcement is undermined. Creating check-posts and border
controls on transmission of data splinters the internet the core of which is interconnectedness
into several clusters of networks. This balkanization of the net weakens the data security
measures considerably.xi

Data versus Data Center – Jurisdiction: Mere location of a data center within the physical
jurisdiction of a country does not entitle law enforcement agencies to have better access to data
held by such centers. Access to data depends on who has custody, control and possession of
the actual data - and that may not necessarily be with the entity that provides the local hosting
facility.
Localizing data center does not curtail vulnerabilities: Data destruction doesn't always require
a continent-scale event. The study by the Leviathan Security Groupxii reports that in 2011, a
slow water drip in a nondescript office building in Calgary, Alberta set off an explosion that
caused days of computer outages for hospitals, ambulances, radio stations, taxis, and criminal
justice facilities around the province.
Data Localization cannot stop foreign surveillance: Several foreign governments are reported
to use sophisticated malware for data surveillance. Thus, physical access to the data storage or
processing facilities is not technically necessary in order to conduct surveillance activities.
Threat of domestic surveillance:xiii By extension of the same argument as the advocates of data
localization, local government may exercise greater coercive power over domestic businesses
storing data to circumvent legal protections.xiv
Cost of localizationxv: Reports suggest that the costs of effecting the data localization
requirements are prohibitive. A few examplesxvi:
i) The report from Levianthan Security Group shows that data localization measure raise cost
of hosting data by nearly 30 % to 60%.
ii) The European Center for International Political Economy reported that enacted or proposed
data localization policies in China, for example, would cost as much as 1.1% of its GDP:
reducing domestic investment by 1.8%, exports by 1.7%, and welfare by the equivalent of 13%
of each citizen's salary. The same report also stated that in the European Union, the costs would
add up to .4% of its GDP, reduce investment by 3.9%, and result in welfare costs up to USD193
billion.
Cost of data breach: One must also consider the revenue leakage that will be unavoidable
during the transition from the present set-up to a new regime. The 2018 Cost of a Data Breach:
Global Overview studyxvii reports that the global average cost of data breach is already up to
6.4 percent over the previous year to USD 3.86 million. The average cost for each lost or stolen
record containing sensitive and confidential information also increased by 4.8 percent per year
over to USD148.
It will create domino effect of protectionist policy and other countries may also follow it. This
leads to fragmentation of internet. US-India Business Council is also against Data
localisation.It may affect India's young start-ups that are attempting global growth.It may affect
big firms like TCS and Wipro because they are processing foreign data in India. Even if the
data is stored in the country, encryption keys may remain out of reach of national agencies. It
can act as "barriers" to expansion of services in India, impacting not only consumers but also
growth of Indian payments market. Infrastructure in India for efficient data collection and
management is lacking. xviii
One of the basic problems for companies complying with data localization laws is the difficulty
in determining which categories of data need to be locally stored and which can be moved
abroad.
As cross-border trade increasingly moves towards e-commerce and relies on the use of internet
technologies such as cloud computing and big data, data localization policies pose a major
threat to the economy and businesses’ bottom line.

Imager Source: https://www.bigbangerp.com/blog/data-localization-laws/

i
Data Nationalism' authored by Anupam Chander and Uyen P. Le, available at
http://law.emory.edu/elj/_documents/volumes/64/3/articles/chander-le.pdf.
ii
https://www.insightsonindia.com/wp-content/uploads/2018/10/Data-Localisation-in-India.pdf
iii
Report of the Committee of Experts under the Chairmanship of Justice B.N. Srikrishna.
https://meity.gov.in/writereaddata/files/Data_Protection_Committee_Report.pdf
iv
Draft Personal Data Protection Bill, 2018.
v
K.S. Puttaswamy v. Union of India (2017) 10 SCC 1.
vi
“Storage of Payment System Data”, RBI Notification dated April 6, 2018 (RBI/2017-18/153)
vii
Clauses 40 and 41, Draft Bill.
viii
Section 105, Clarifying Lawful Overseas Use of Data Act, 2018 (United States).
ix
Page 96, Srikrishna Report.
x
'The Harms of Forced Data Localization' by Frank Heidt dated February 25, 2015, available at
https://www.leviathansecurity.com/blog/the-harms-of-forced-data-localization.
xi
See para (b) (ii) under 'II. Exceptions to Free Transfer of Personal Data Outside India' at page 94 of the
Committee Report, where it addresses the issue on 'Balkanization of the Internet and Domestic Surveillance and
Censorship'. However, the argument there is centered around domestic surveillance, censorship and the freedom
of speech.
xii
ibid
xiii
https://thewire.in/law/mastering-the-art-of-keeping-indians-under-surveillance.
xiv
See 'Data Localisation and the Balkanisation of the Internet' by Erica Fraser, available at https://script-
ed.org/wp-content/uploads/2016/12/13-3-fraser.pdf . Also Committee Report argument at page 95
xv
See 'Cost of Data Localisation: Friendly Fire on Economic Recovery' published in ECIPE Occasional Paper
No. 3/2014, authored by Matthias Bauer, Hosuk Lee-Makiyama, Erik van der Marel and Bert Verschelde,
available at http://www.ecipe.org/app/uploads/2014/12/OCC32014__1.pdf ; Report on 'Measuring the Value of
Cross-Border Data Flows' prepared by the Economics and Statistics Administration and the National
Telecommunications and Information Administration, U.S. Department of Commerce, September 2016,
available at https://www.ntia.doc.gov/files/ntia/publications/measuring_cross_border_data_flows.pdf;
'Quantifying the Cost of Forced Localization' by Leviathan Security Group (2015), available at
http://static1.squarespace.com/static/556340ece4b0869396f21099/t/559dad76e4b0899d97726a8b/14363969188
81/Quantif%20ying+the+Cost+of+Forced+Localization.pdf .; 'Tracing the Economic Impact of Regulations on
the Free Flow of Data and Data Localisation' published in May 2016 by Matthias Bauer, Erik van der Marel and
Martina F. Ferracane, available at https://www.cigionline.org/sites/default/files/gcig_no30web_2.pdf.
xvi
A summary of the various studies on cost implication from data localization is available here
http://www2.itif.org/2018-international-internet-priorities.pdf.
xvii
Independently conducted by Ponemon Institute LLC, benchmark research sponsored by IBM Security and
available at https://public.dhe.ibm.com/common/ssi/ecm/55/en/55017055usen/2018-global-codb-
report_06271811_55017055USEN.pdf.
xviii
https://www.insightsonindia.com/wp-content/uploads/2018/10/Data-Localisation-in-India.pdf