Data localization analysis

ABSTRACT

Development is the first and foremost goal of human beings. And this development is taking place at a rapid rate that too in every sphere. As a part of development data storage methods developed and new forms or ways came into being like on-premises storage and cloud storage methods. This data is nowadays preferred to be stored locally within the boundaries of the specific nation and this process is called data localization. Data localization is important as it enhances one’s data security and privacy. There are many rules and regulations mentioned under different laws under Indian law.

INTRODUCTION

Development is the major goal of all nations and this development takes place in every sphere, especially in the technological world. Due to developments new storage methods have been found like that of on-premises storage and cloud storage methods, etc. Earlier this data was scattered all around the globe in different countries and under different national agencies or organizations. But in 2005, for the first time, the need of localizing data was felt by Kazakhastan, who passed laws, and later in exception to Google all other data was stored within the national boundaries. Later, the need to localize data was felt by several other nations leading to the formation of many such laws.

The process of data localization gave a boost to the data security and privacy of one’s data as the number of people or organizations getting access to the data was reduced dramatically. Not only that even it became easier for government or the organization to keep track of the data and check on whom can access that data. Even in India, many laws were passed regarding data localization under several different acts.

Data was stored within respective boundaries either on-premises in buildings or data centers or in cloud storages through data vendors who agree to store data within specific boundaries.

It might be a costly process but it also generates employment which enhances the economic consideration of the nation or the area to which is subjected.

KEYWORDS:- Data, Data Localization, Servers, Laws, Local Rules and Regulations

Research Methodology

This paper is purely based on pre-existing documents and literature that are present on online platforms

This paper is designed in such a way that it will deal with different aspects of data localization such as:-

  1. WHAT IS DATA LOCALIZATION
  2. WHY IS IT IMPORTANT?
  3. HOW IT WORKS?
  4. PROS AND CONS OF DATA LOCALIZATION
  5. LAWS RELATING TO DATA LOCALIZATION IN INDIA

Most of the data is collected from various authentic sources available on data localization and its analysis is made in this research paper.

WHAT IS DATA LOCALIZATION?

Nowadays we use many internet websites where we create our accounts and add our information to it, all this information is stored in one form or another within the servers of such websites either on physical premises or in the cloud storages which is later on used by the internet for personalizing your internet browsing experience.

And to make this browsing experience faster and better data localization comes into existence. Data Localization is a practice of keeping data within the region from where it is collected or originated.

For example, a company or an organization collects data in India, then stores it in India rather than transferring it to another country for processing.

By the term data localization, we can confirm that the main purpose of data localization is that the data should be collected, processed, and stored within the boundaries of one’s native country. Data that has to be collected, and transferred is done within compliance with the land laws relating to data protection of that very country. This involves informing users how the information is used and then obtained after their consent.

A different angle through which it can be seen is that the country wants data relating to its citizens or natives must be deleted from foreign systems first before being deleted from local or native servers or systems.

One of the first moves which was taken towards data localization ever occurred was in 2005, in Kazakhstan when it passed a law for all the domains to run domestically, later being the only exception to the goggle. Later the desire of being able to control residents’ data flow was expressed by various governments in Europe and several other countries.

Although it is supported by the government of several countries, data localization is heavily opposed by technology companies and multinational organizations as they impact efficiencies gained by regional aggregation of data centers and unification of services across several nations.

WHY DATA LOCALIZATION IS IMPORTANT?

There are several reasons ‘why data localization is important?’. Some of them are as follows:

  1. Data Security

As technology is improving day by day and making our life easier, similarly new and more effective ways of cyber crimes are appearing as well. Cyber crimes like phishing and social engineering attacks are more prevalent and increasing.

Where social engineering attacks involve manipulating and tricking victims into leaking private information, phishing involves messages that appear from trustworthy sources, but are sent by an attacker, this involves sending malicious links and leakage of private information.

Data security in simpler words can be called protection of corporate data and preventing data loss through unauthorized access. Data security does not only involve protection from unauthorized users, but it insures access of that data to only the organization that has access to it.

Data localization plays a major role in data security as it ensures that data is subjected to specific privacy laws and regulations. By keeping the data within the boundaries of the country control of the country over the information becomes more and more absolute. Data localization plays a major role in data security, particularly in the case of businesses that handle sensitive information.

  • Data privacy

Privacy, as a broader aspect, is the right of individuals, groups, or organizations to control who can access, observe, or use something they own, it can be anything like that of their body property ideas and in this case data or information about them.

Data localization plays a major role in keeping one’s data private as it does not only mean storing data locally, but it also means that foreign states will not be able to access it either. Since the foreign states are unable to access the data it narrows down the attackers of data retrieved.

As physical boundary like a locked door helps prevent others from entering the building, similarly data localization helps prevent other states from accessing one’s data. In other words, it acts like an extra barrier that helps in the narrowing of attackers.

Since data is locally stored it makes it easier for the user to access and handle the authorization of the data which is stored within the servers. The Internet is a continuous boon and is ever expanding which makes an individual submit their personal information at several websites which makes individuals more prone to cyber-attacks like phishing and social engineering attacks. In circumstances like this one is required to keep their data private which is further enhanced by data localization, as it creates another boundary and helps in preventing one’s data.

  • Economic considerations

Population is ever increasing and there is always more and more data which is added to any organization. Storing such a huge amount of data requires lots of servers and an able populous to handle such huge servers and operate them accordingly.

Some of the countries see them as a great opportunity to generate employment and create local jobs which further enhances and stimulates economic growth. This makes data localization again an important aspect of the growth of the nation as a whole. This is another reason why data localization is appreciated by the national government.

  • National sovereignty

When it comes to the storage of data locally, it further means giving access to the people to those authorized. In many cases, it is seen by the government as a way to assert their national sovereignty and control over their citizen’s data.

It is also observed in many cases that the government feels data stored outside their jurisdiction and therefore less subjected to their laws and regulation.

  • Improved performance

Another important aspect that makes data localization very important is the improved performance of the servers. As data is stored locally it has to travel a lot less distance as compared to when stored outside the borders of one’s own native nation, which makes data localization important and very useful in the long run.

HOW DOES IT WORK?

Data localization or data residency or data sovereignty does not only involves storing data but also processing it within a specific geographic location. It is very simple for organizations that are based and operate in a single region or country and use on–premise infrastructure for storing data, as long as it remains secure within those data centers.

When it comes to data localization it can be done in many ways and some of the most common approaches for it include the:

  1. On-premises storage

When it comes to storing data locally, then one of the most effective ways is on-premises storage. In other words, it means storing data on physical servers or other storage devices that are located within the borders of a particular country. These physical servers can include many things like building, or renting a data center within the country, or using servers and storage devices that are owned and operated by any local-based company.

Although this is a very effective way of storing data locally, it is fairly simpler for organizations that are based in a single country or nation. It becomes difficult for multinational companies to handle and store data this way as it hinders the data transfer processes. On the other hand, the data remains secure within the data centers, it should be properly localized.

  • Cloud storage

One of the other best ways for storing data is data is considered cloud storage. Cloud storage is one of the most effective ways of storing data as it can be accessed from any place at any time. It can play a major role in localizing data if the cloud servers within the national boundaries are chosen.

However, cloud computing makes data localization difficult and far more complicated, as the area from where it can be accessed is humongous in size since it can be accessed from anywhere around the world. Organizations that are operating through cloud computing have far less visibility of their data than where it is actually stored and processed since cloud vendors are the ones who handle the data.

But, on the other hand, data localization is possible through cloud computing if the cloud vendors commit themselves to only processing and storing data within specific regional areas. Even in this case, the point is not all the cloud vendors have enough amount of this global presence, but still many have this global presence. If the cloud vendor has a data center within that required region then there are any number of ways to ensure that individuals data stay in that very data center.

For example, the approach that Cloudflare takes for its Regional Services offering is to proxy Transmission Control Protocol (TCP) connections to a data center in the designated region.

Another important thing that is involved in data localization is data transfer, which involves the transfer of data from one server to another for the purpose of fulfilling all the requirements of data localization and storing data locally at the required nation. This also involves moving or transferring data from one data center to another between different storage or processing environments. Another factor that plays a major role in data localization is data processing, since data is stored locally then it has to be processed locally as well. For the purpose of processing data within a specific geographic location company or an organization has to use local servers, storage, and other important infrastructure to process data or even the use of locally based cloud-based processing services plays a role in data localization. And data transfer and processing the data has to comply with various laws and regulations to which the data is subjected in that very specific location.

DATA LOCALIZATION: PROS AND CONS

Just like any other entity, data localization has both advantages and disadvantages or pros and cons or advantages and challenges to implement data localization, based on the specific context in which it is being used.

Some of the advantages or pros of data localization which is observed are as follows:-

  1. Data security:- One of the main advantages as well as an objective of data localization is that it improves the safety of one’s data which is being shared with the people. By keeping the data within the borders of the required region of any particular country, enhances the security of one’s data. Data security becomes an important aspect for the government or organizations that specifically handle or deal with one’s sensitive data or information.
  2. Data privacy:- One of the other advantages or pros which is observed is that data localization helps in keeping one’s data private. As individual data is stored within one national boundary and that data is subjected to some of the specific rules or laws and regulations of that land or area, plays a major role in keeping one’s data private. Through data localization one can have more amount of command on whether who can get access to the data that the organization or an individual is sharing or storing within those servers. And once the access gets limited then automatically that data becomes more private which further enhances the security of that data.
  3. Economic Benefits:- for the purpose of storing data, the government has to get a good amount of infrastructure which further requires access to storage areas that can be any building or even renting any data centers, and for the handling and operating of those buildings or data centers or storage areas government need men, which further implies that it will result in job creation and will generate employment. As employment is being generated then it will further enhance the economic condition of the nation or the area to which it is subjected. Hence, data localization has economic benefits, such as local job creation and the stimulation of economic growth within a particular country or subject area.
  4. Improved Performance:- data localization not only helps in keeping data safe and private but it further enhances one’s experience and increases data transfer speed. Since all the data is locally stored within specific boundaries of a required region, then data has to travel far less distance, which further increases and enhances user or customer experience as he/she is able to enjoy better performances of the data or services.

Some of the cons or disadvantages or challenges to data localization are as follows:-

  1. Cost in implementation:- As data localization requires storing data locally within specific boundaries of any region, the government has to store data in different data servers and employ people to operate and handle all those servers, and all these placements of stuff require money which results in cost-effectiveness making it a challenge for data localization.
  2. Complexity:- since data localization requires the storage of data in servers and for that it further requires data transfer from one server to another from one location to another, this data further leads to complying that data with the multiple laws and regulations which makes data localization a difficult and very complex process further hindering the complete process of data localization.
  3. Limited access:- data is stored locally and is always bounded by multiple laws and regulations which makes the data hard to access and handle. Since data that is stored locally has to be bound to certain laws and conditions, that data becomes limited access to the customers. Although this can also be seen as an advantage as it ultimately boosts one’s privacy and security. It not only hinders the access of normal customers but also hinders the access to the companies or organizations based outside the boundaries of those specific areas within which data is stored as it may violate the local rules and regulations of the region.
  4. Trade barriers:- when every data is stored locally it has to follow a protocol and certain rules and regulations which makes it difficult for other organizations and companies located outside those specific boundaries to access that data and operate in a free manner, this acts like a hindrance in the functioning of those companies and has a negative implication over global trade and economic growth.

DATA LOCALIZATION LAWS: IN INDIA

There are many key data localization laws in India covered under different acts over the course of time. Some of the key data localization laws in India are as follows:-

  1. The [1]Indian Companies Act 2013 and [2]The Companies (Accounts ) Rules 2014

Section 94 of the Companies Act, read with Sections 88 and 92, require covered organizations to store financial information at the registered office of the company.

  • The [3]Reserve Bank of India’s Directive 2017-18/153 (April 6, 2018) issued under the Payment and Settlement Systems Act 2007:

Paragraph 2(i) of the Directive requires covered organizations to store payment data within India.

  • [4]The IRDAI (Maintenance of Insurance Records) Regulation, 2015: Paragraph 3(9) requires covered organizations to store insurance data within India.

CONCLUSION

Data localization as discussed is playing a major role in today’s technological era. As already discussed it is a process of storing data and processing it in local specific boundaries, it can be any nation or any other specified area within that country. And for the purpose of storing data locally, one’s data has to get past or comply with the local rules and regulations of that very area. This process can be done either through cloud storage or on-premises area, making it either complicated or cost-effective as discussed above. Storing data locally on premises is an efficient idea, but it leads to costly expenditure on buildings and stuff required for storing data, whereas when it is stored on cloud storages it becomes complicated and less safe as it can be accessed from anywhere from around the world, but just like any other entity it can be stopped or handled by using cloud vendors who agree to store data of any specific location or region. Just like any other entity it also has both pros and cons it is one of the most effective ways to secure one’s data and it further leads to data privacy enhancement as it reduces the number of people or organizations getting access to the data stored, on the other hand, it is very costly as it leads to setting up of building and equipment for the processing and storing of the data. There are many laws to which one’s data has to abide like in India there are many rules and regulations distributed under several other laws.

                                                                                                       By: Paras Swaroop

                                                                                                              Army Institute of Law

References:

  1. https://www.cloudflare.com/learning/privacy/what-is-data-localization/
  2. https://carnegieindia.org/2021/04/14/how-would-data-localization-benefit-india-pub-84291
  3. https://www.drishtiias.com/to-the-points/paper3/Data-Localisation
  4. https://www.khaitanco.com/sites/default/files/2022-01/Data%20Localization%20Laws%20India%20(1).pdf
  5. https://www.imperva.com/learn/data-security/data-localization/#:~:text=Data%20localization%20refers%20to%20the,keep%20data%20closer%20to%20users.

[1] Indian Companies Act 2013 section 94 (2013)

[2] The Companies (Accounts ) Rules 2014  section88 and 92 (2014)

[3] Reserve Bank of India’s Directive 2017-18/153 (April 6, 2018) issued under the Payment and Settlement Systems Act 2007 paragraph 2i (2018)

[4] The IRDAI (Maintenance of Insurance Records) Regulation, 2015 para 3(9) (2015)