How Data Localization Might be Draconian for Everyone except Black Hat Hackers While the intent of the government, to protect user privacy, is fine but what makes it controversial is the mandate to store data 'only' in India.
By Sandeep Soni
Opinions expressed by Entrepreneur contributors are their own.
You're reading Entrepreneur India, an international franchise of Entrepreneur Media.
The myopic view taken by the Reserve Bank of India (RBI) to "secure' payment systems' data through localized storage serves well to two parties – businesses with existing local data centers and servers and black hat hackers. For others, like entities with global data centers and certainly the users, it might not.
The reasons why businesses with data centres set up in India sees the new regulation befitting are many -First, it would hopefully bring down the infrastructure cost for businesses since large scale hosting will be available in India, like Google Cloud or Amazon Web Services. Hence, more investments are likely to happen by businesses, which would make better plug-and-play solutions available. Second, it would help in financial services data being hosted in India which in turn would create opportunities for data sharing platforms. This is similar to credit bureaus having a credit history. Third, with all kinds of data - search, social, consumption, etc, stored in one place, the interoperability factor would kick in while making credit decisions. Fourth, it would create a level playing field for everyone - Indian, foreign and those who want to enter India, in terms of regulations and best practices.
"For instance, Indian companies have to follow a two-factor authentication for online payments. But surprisingly, while using services of a global player, customers can get away with it," says Bhavik Vasa, Chief Growth Officer, EbixCash - domestic remittance exchange arm of American software multinational Ebix.
It has acquired multiple businesses across categories in the last few months. Many of Ebix's business operations globally are running out of Indian data centers, located in Noida and Hyderabad. Hence, setting up such centers isn't something new to them.
Moreover, local businesses, like e-wallet start-up MobiKwik (which also hosts data locally), are required to undergo several audits annually, including at least one audit every quarter. On the other hand, most foreign companies get away with it because they aren't subject to similar laws. But, MobiKwik Bipin Preet Singh, is more concerned about the use of data to predict consumer behaviour either for advertisements or for further consumption etc. The data localization guideline has now brought him some respite.
"Data should remain in India as several companies with multiple businesses are also entering into the financial services space. So, it might be challenging as they can claim that their non-financial data shouldn't necessarily be held in India. Now, all that will be put to rest," says Bipin Preet Singh, Founder and Chief Executive Officer, MobiKwik.
Risking Privacy Again
While the intent of the government, to protect user privacy, is fine but what makes it controversial is the mandate to store data "only' in India. The government can easily supervise the data without restricting its storage outside India that conventionally helps foreign companies in understanding global user behavior to develop new products and anti-fraud mechanisms. This can also be done by directing businesses to retain a sort of master copy of the data in India, before moving it abroad. In the current scenario, it unbalances the business ecosystem in certain ways even as despite providing services via cloud or third-party service providers, the company can't move the data outside India.
"How a company based outside India can access data if it cannot be taken to a foreign location? When data processing happens you need to keep it in the foreign systems. The government should allow businesses to process it overseas, subject to necessary security conditions," says Huzefa Tavawalla, Leader - International Commercial Law Practice, Nishith Desai Associates.
In the crossfire, eventually would be the technology-heavy and internet-dependent multinational companies. The RBI mandate would directly increase their cost of doing business either in terms of setting up new data centers, tweaking their network architecture, or using a local cloud vendor. Moreover, since data center market is not evolved in India, the local storage may not be the most efficient way. "This would mean passing on the increased cost of doing business to the customers. We are waiting for more clarity from the RBI to understand their regulatory requirements," says spokesperson from a leading card company in India requesting anonymity.
On the other hand, if small businesses with limited money are entering India but have to spend significantly from the compliance perspective, then it will certainly impact them more. Hence from a foreign investment perspective, data localization might scare away such businesses in the near future. Also, for Indian businesses with data centers abroad as well, it would be lost of time and money to shift them to India.
As the RBI notification of April 6 calls for "unfettered supervisory access to ensure better monitoring," it might mean severe crackdown on the businesses and also the users. Thus, their sensitive and personal information is exposed to the government, which it can use as a convenient excuse to abuse their fundamental rights, such as right to privacy and freedom of expression. Hence, it might defeat the purpose of data privacy altogether. The biggest example here is Aadhaar, wherein despite the Supreme Court's order, the government is forcing the citizens to link their Aadhaar number to different services. This exposes their privacy to the government for it to track them down any time. Large enterprises too scan user data but that's to formulate better products and services for the users, unlike the government.
"I don't think there are strong laws around privacy. However, data breach should not be linked to the location, where data is hosted," adds Singh.
Required Decentralization
Further, contrary to the RBI's agenda of user data privacy, while far more number of data breaches happen outside India but centralization of all the data means attracting more hackers to attack. "But there are tools to mask servers' locations for data protection. The biggest tool is being pro-active. The company can first create a dummy database and incentivize hackers to attack it. This will help them understand the loopholes to be plugged," says Rakshit Tandon, among the top cyber security experts in India and Director, Council of Information Security. This is apart from the cases of theft, fire, flood or other natural calamities. A decentralized storage of data or having mirror sites in other geographies divides and reduces the risk. Hence, storing data of 1.3 billion people at one place can create a monumental risk.
"Data is usually stored in one location and backed in another location but RBI's decision goes contrary to that. For instance, if your server is in building A and backup is in building B then not only the risk of hacking but also physical risk is mitigated," asserts Tavawalla.
Another major loophole in the RBI's directive is that the payment system providers can transfer data to anyone, individual or a company, which can in turn export it outside India.
Justice BN Srikrishna committee, created by the government on the issue, has also found data localization arbitrary to solve the privacy puzzle. Its white paper notes, "While data localization may be considered in certain sensitive sectors, it may not be advisable to prescribe it across the board." Reportedly, the committee is likely to mandate large technology companies to store sensitive personal data of users in India.
A globally distributed data that has made cloud services cheap for new businesses is in conflict to data localization. Critically, the impact of such exercise by many other countries hasn't been positive on their growth. Now, where does the RBI draws the line to actually safeguard individual and economic interest would be clear in the draft recommendations of the committee report.
(This article was first published in the July issue of Entrepreneur Magazine. To subscribe, click here)