judge, hammer, auction hammer

DATA LOCALISATION  AND CROSS-BORDER DATA TRANSFER

ABSTRACT:

With the emerging technology, concerns about the misuse of data and its transfer have also grown. The highlighting issue is the privacy which is associated with this data.  We all possess endless amounts of data in our devices; therefore, it has become essential to protect the misuse of it. The data is also essential for our national security, consequently, the government mandates a certain amount of data to be stored within a specific geographical location, this is known as Data Localization. The researcher attempts to address the difficulties and will suggest the problems surrounding data localization policies in this paper. Data localization is the process of storing and processing data in a particular location.

KEYWORDS:

Data, Data transfer, localization, data localization, cross-border, privacy, security.

INTRODUCTION:

Laws and rules requiring data to be gathered, processed, and stored in a particular area or jurisdiction are referred to as data localization. [1] These regulations can vary significantly by country and are often aimed at protecting sensitive information, maintaining control over data, or addressing national security concerns.

For instance, some countries might mandate that a particular category of private or sensitive data—like financial or medical records—be kept on their borders. This could have an effect on how companies run because they might have to establish local data centers or modify their data processing procedures to abide by the regulations.

On a daily basis, data is transferred across different borders. The main challenge and problem around cross-border data transfer is to make sure that the information that is being processed is in accordance with privacy laws and regulations. The transfer of data across borders happens daily. Therefore, it is essential to make the flow of data safe and secure beyond the borders as well.  This frequently entails taking user consent, data encryption, and compliance with particular laws—like the GDPR in the European Union or comparable data protection laws in other jurisdictions—into account. Organizations must take extra care to transmit their data across borders, they can frame various legal frameworks to cope with the issue of misuse of data. To ensure data protection during transmission, this process may involve tools like standard contractual clauses, legally binding corporate rules, or adherence to globally recognized frameworks.

RESEARCH METHODOLOGY:

This is a descriptive paper with qualitative research with the help of secondary sources for the in-depth analysis of data, its localization and misuse, the privacy and security issues related to it, and various relevant laws concerned. Some examples of secondary resources include newspapers, websites, journals, and blogs.

REVIEW OF LITERATURE:

In the modern world, data is so easily accessible that it can be found online anywhere, which leads to data misuse and cross-border data transfer. The literature highlights the importance of data localization and its background details. Various studies and research have also shown the privacy risk involved with the inappropriate use of data. The primary reason behind the misuse of data is its easy availability on the internet within a fraction of a second. The literature will review how the misuse of the data can be minimized and will explain what can be the safer way of storing and transferring the data.

CONCEPT OF DATA AND ITS VARIOUS TYPES:

Laws pertaining to data localization or residency mandate that information about citizens or residents of one nation be gathered, processed, or kept domestically before being sent abroad. For example, any kind of data collected in India needs to be stored there rather than being transferred to another nation.

However, it is now very easy to transfer data, explore data, and access data in a matter of seconds thanks to widespread internet access. Therefore, the privacy issues raised by the data’s easy access also come into question.

  1. Personal and Sensitive Data
  2. Financial information, names, addresses, and other personally identifiable information about an individual, as well as any other relevant records, are examples of personal and sensitive data. With easy access to the internet, personal and sensitive data can easily be shared across borders.
  3. Legal and Regulatory Data
  4. Legal and regulatory requirements information, including compliance documentation, rules, and standards, may need to be localized in order to adhere to specific national or regional laws.
  5. Financial Data
  6. Financial Data includes information about the person’s financial status and all the banking transactions related to them. It’s important to restrict access to such unauthorized data to maintain the confidentiality of financial records.
  7. Intellectual Property Data
  8. Localization laws may apply to data pertaining to intellectual property, including trade secrets, copyrights, and patents. Laws with respect to Intellectual Property data are essential to prevent unauthorized access to data across different borders.
  9. Trade and Business Data
  10. Another type of data is associated with trade. Big companies and firms need to transfer their data to different countries to initiate their business transactions across different countries.

HISTORY OF DATA LOCALIZATION:

When the internet world started just then the idea around the business changed. That was the point when the global economy changed on a large scale. Moreover, the Internet has made the conduct of business in more efficient ways. In 2017, the data carried by global internet networks reached over 46.6 terabytes (46,600 GB) per second, up from just 100 gigabytes (GB) per day in 1992.[2] Global internet traffic is predicted to reach 150.7 gigabytes per second by 2022.[3]Research and studies have also shown that businesses that use the Internet for international trade have an edge over those that don’t.

In this evolving world of the internet, data, and personal information is easily available in just a few seconds. It raises certain privacy and security concerns, but in today’s era, the transfer of data is done on a daily basis. When the data is transferred beyond borders, from one country to another it is known as cross-border transfer. With the advancement of technology and the rise of globalization many companies, businesses, and organizations often need to transfer data internationally for various reasons like outsourcing or for some business deals. But with the transfer of data across borders, the issue of privacy also arises. which led to the formation of certain laws and regulations to keep the flow of data safe internationally.

Some of the regulations are mentioned below-

  1. GDPR
  2.  The European Union has a separate law for protecting data and maintaining privacy. It imposes certain obligations on organizations everywhere across the world as long as the data is related to the people of the EU, It also puts harsh fines against those who violate the privacy concerned with the EU.[4]
  3. CCPA
  4. The California Consumer Privacy Act is a regulation for the people of California, U.S.A. which gives them the right to protect their personal information and to put restrictions on any organization that misuses the data of the people of California, U.S.A.
  5. PIPL
  6. Personal Information Protection Law is a regulation of China that came into effect in 2021. It provides certain guidelines to obtain consent before processing and transferring the data of people of China internationally.

PRIVACY AND SECURITY CONCERNS:

As the digital world evolves, many countries have expressed concerns about privacy and security related to the free flow of data.

 The main security concern expressed is the decline in economic progress due to data mining and misuse of personal data by foreign companies in violation of individual rights.

Therefore, data localization comes into consideration.  Data localization can restrict data flows in a number of ways by limiting the physical storage and processing of data to specific jurisdictions.

These measurements fall into two general categories: soft localization and hard localization.[5]

Hard localization means data will be stored and processed in a certain territory of a country. This kind of localization makes cross-border data transfers impossible. On the other hand, soft localization allows to transmission of data, it’s not as strict as hard localization. These include general localization that is exempt from bilateral and multilateral agreements, such as sector-specific localization and conditional localization.

The sectoral localization means storing the data for a specific sector of the economy. This has both types of localization including hard and soft data localization. On the other hand, where the data is stored, processed, and transferred on the basis of certain conditions is known as Conditional localization.

The most known regulation is the European Union’s GDPR. [6] It imposes restrictions on the free flow of data affecting all EU member states. Meanwhile, China requires the localization of all “critical data” related to “critical information infrastructure” and Russia mandates local storage of all personal data related to public works.

THE INDIAN CASE FOR LOCALIZATION:

Prior to delving into the latest localization efforts that the Indian government is contemplating putting into action, it is imperative to provide an overview of the progress made thus far.

Like some other countries, India has applied a patchwork of data localization techniques in a few economic sectors. For instance, the Reserve Bank of India requires that payment data be stored in India even though it can be processed outside of the country.[7]

Following are the mentioned relevant acts/Initiatives in chronological order that India has already implemented associated with data localization.

 Public Records Act, 1993

Information Technology (IT) Act in 2000, and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011

  • The above-mentioned IT Acts forbid the transfer of data that is sensitive in nature by any corporate body outside India unless the other corporate party can match the same level of data protection that is authorized under the IT rules.

  Unified Access License for Telecom Service Providers 2004

  •  It requires the storage of subscriber data and its local processing. Additionally, it prohibits the transfer of any information associated with the subscriber.

National Data Sharing and Accessibility Policy (NDSAP)

  • It mandates the localization of data within India only. There are basically two types of data on a broader view which are sensitive and non-sensitive data. The government allows only the transmission of non-sensitive data on certain terms and conditions.

Companies Act, 2013

  • Mandates the companies’ books and records be stored locally in India itself.

MeghRaj Initiative (an Indian government initiative with respect to data storage practices of government departments and authorities),2014

  • It mandates that all the cloud service providers should only give the data center facilities exclusively in India.

National Telecom MDM Roadmap, 2015

  • Requires all M2M gateways and application servers “servicing customers in India to be physically located in India.”

FDI Policy, 2017

  • FDI Policy prohibits the transfer of user’s data outside India.

The IRDAI (Outsourcing of Activities by Indian Insurers) Regulations, 2017

  • Mandates local storage of original pay holders’ accounts.

 Reserve Bank of India Storage of Payment System Data

  • The above-mentioned initiative/act made it compulsory to store data within Indian jurisdiction only. Furthermore, the clarification for the same was issued in June 2019 which stated that the data can be processed abroad, but the final copy will be stored in India.

The Personal Data Protection Bill, 2019

  • The bill mentioned above was passed during the winter session in 2019. To review this bill, it was sent to a committee comprising of Members of Parliament which is also known as the Standing Committee. Justice Srikrishna who was also the head of the committee which was formed for the data protection bill, made a report in 2018 that served as the basis for the bill.
  • The Personal Data Protection Bill, 2019 was inspired by the landmark case of Justice K.S. Puttaswamy & Anr v Union of India, 2017[9] in which the Supreme Court ruled that the right to privacy is a fundamental right.
  • The bill is primarily based on the principles of the General Data Protection Regulation, 2016 (GDPR), which is the data protection law enacted in the European Union and was implemented in 2018. It also proposes data localization laws to further the data protection of Indian citizens.  

International Agreements:

  • General Agreement on Trade in Services
  • The GATS is a World Trade Organization (WTO) treaty. It was effective in Jan 1995.[10] Like the General Agreement on Tariffs and Trade (GATT), this treaty provides a multilateral framework of rules and regulations for trade in services intending to grow this trade.
  •  An undertaking to grant market access and national treatment for the service activity in question on the terms and conditions outlined in the schedule for various modes of supply is known as a specific commitment.
  • Market Access Commitment
  •  A market access commitment states that a WTO member may not treat other members less favorably than specified in their schedule of specific commitments. Any regulations they impose will be viewed as a breach of their commitment to market access. 
  • National Access Treatment
  • Members are prohibited from discriminating in favor of their domestic enterprises under Article XVII of the GATS national treatment commitments unless they expressly provide otherwise in their schedule of commitments. Because foreign companies are required to build infrastructure in the country imposing localization measures, while local companies do not incur these costs, data localization measures give less favorable treatment to foreign service providers. 

TECHNOLOGIES FOR SECURE DATA TRANSFER:

The National Digital Communications Policy of 2018 acknowledged a range of innovative digital technologies to assist India in enhancing its digital landscape through 2022. Since all these technologies process large amounts of personal and sensitive data, they are subject to Section 43A of the Information Technology Act.

  • Cryptocurrency
  • A committee was established on the issue of virtual currencies to investigate the issues surrounding virtual currencies. Subhash Chandra Garg, the finance secretary, was in charge of it.
  • In their report, they highlight that due to the nature of virtual currencies, data localization protocols under the Data Protection Bill need to be considered carefully, as they could have certain challenges due to which the implementation of DLT would be difficult This is a result of distributed data storage in DLT. Indian manufacturers and consumers will be less able to benefit from distributed ledger technology (DLT) in terms of global supply chains, increased data security, and international services infrastructure if all data is centralized in one location.
  • Cloud computing
  • Data localization and cloud computing are two extremes of the same coin. While cloud computing is all about storing and processing data from remote data centers via the Internet, data localization advocates for storing all the data in one location. Both of these are regarded as alternatives to one another. The advantages of cloud computing offset the purpose of enforcing data localization laws to protect privacy. The data of cloud computing is scattered at multiple locations, therefore it has become easy to manipulate that data.
  • Meghraj
  • To encourage the use of cloud services by the government, the government launched a platform or a cloud service which is known as Meghraj. It also mandates that all the cloud service providers should only give the data center facilities in India.

SUGGESTIONS:

India and other nations must both put in place an extensive array of measures to enhance data security and facilitate safe cross-border data transfers. To keep data safe and secure government has to take certain steps and measures to protect data from misuse. To ensure the integrity and confidentiality of transferred data, technological measures such as enforcing strict access controls, promoting transparent data processing, and fortifying encryption standards are imperative. Also, by educating others about the data protection laws, one can keep their data more secure. Shared best practices and standards will also be aided by promoting international cooperation, taking part in forums, and promoting bilateral and multilateral cooperation. Implementing practices like data minimization, data encryption, risk evaluation, and safe communication channels can further reduce the risk involved and can provide a steady, safer mechanism to transfer data across borders.

CONCLUSION:

To sum up it all, the scholar through this research paper delved into the complex issues and concerns surrounding the data and its transfer. Various regulations were discussed in the research paper which helps to regulate data. The most important and safest regulation discussed was the European Union’s regulation.  This regulation is famous worldwide. It was developed by the European Union. The scholar through this research paper also delved into the regulations of India.

 Keeping this factor in mind, data localization can be one tool to control the inflow of data and to prevent its misuse. The scholar attempts to give a brief about data localization, transfer of data beyond the borders, and various laws to regulate the misuse of the data. Working on the current acts/initiatives, strengthening encryption, raising awareness, and educating people about this issue are all necessary to improve data protection across borders in the modern era. By performing all these necessary measures, the data can be kept safe.

Author’s Name-

Hrishika Vishnoi

Student, B.A.LL.B.

IPS ACADEMY, INDORE

 


[1]Watney, MM, “Cross-Border Law Enforcement: Gathering of Stored Electronic Evidence,” J. Info. Warfare, vol. 15, 69, 69-80 (2016).

[2] Burman, A. & Sharma, U., “History of Data Localization,” 3 Carnegie Endowment Int’l L. J. 3, 3-6 (2021).

[3] Ibid.

[4]Kulhari, Shraddha, “Data Protection, Privacy and Identity: A Complex Triad,” Building-Blocks of a Data Protection Revolution: The Uneasy Case for Blockchain Technology to Secure Privacy and Identity, 1 J. Data Protect. Rev. 23, 23-37 (2018).

[5] Richterich, Annika, “Big Data: Ethical Debates,” The Big Data Agenda: Data Ethics and Critical Data Studies, vol. 6, Univ. Westminster Press, 33-52 (2018).

[6] Wessels, Bridgette et al., “Visions of Open Data,” Open Data Knowledge Soc., 45, 45-64 (2017).

[7] Subba Rao, K. G. K. “RBI Database on Indian Economy.” Economic and Political Weekly, vol. 40, no. 42, pp. 4509–12 (2005).

[8]IndianKanoon, https://indiankanoon.org/doc/63546371/ [last visited 28 Nov].

[9] Justice K. S. Puttaswamy (Retd.) v. Union of India, (2017) 10 SCC 1

[10] Blanchard, Jean-Marc F., “Introduction: China and the WTO into the Next Decade: Probing the Past and Present as a Path to Understand the Future,” Asian Journal of Social Science, vol. 41, no. 3/4, pp. 243–62 (2013).