(P.S: This is a reflection from the discussions had at the conclave in Delhi on July 14/15, 2017 on “Securing Cyber Space”)
The Conclave hosted a discussion on Legal Issues on Data Localization, Jurisdiction and Sharing in which I made out certain points which are reflected in this article.
The principle of Data Localization is “Data” should be stored in the country of its origin, particularly when the data relates to the personal information of its citizens. It is a demand of the law enforcement for a long time even in India. Change in law is also being demanded in this context.
In practice, Data Localization translates into holding the data in a data center which is physically located within the boundaries of a given country.
Jurisdiction is a growing concern particularly with the development of Cloud Computing and is related to the demand for Data Localization. Presently most Cyber Laws provide extra territorial jurisdiction in law though at the implementation level, there is a problem of exercising jurisdiction in the absence of treaties.
Data Sharing is related both to Data Localization as well as Data Jurisdiction but it is more a factor of “Attitude” and “Business Concerns”. If industry wants to share data on incidents either among themselves or with an industry specific CERT, there is no law to prevent it since there is always the possibility of de-identification of personal data. Businesses are more concerned about reputation loss and avoid data sharing and this attitude needs to change.
Certain countries have started legislating on Data localization. Initially small countries like Nigeria and Vietnam started the trend perhaps to preserve their authority being eroded. Russia in 2015 mandated that “data operators that collect personal data about Russian citizens record, systematize, accumulate, store, amend, update and retrieve data using databases physically located in Russia”.
China has announced a “Cyber Security Law” which mandates that “Critical Information Infrastructure Operators” need to store certain personal and business information within China.
Some countries have tried to achieve data localization objectives by placing legal restrictions on data being stored outside their jurisdiction by imposing heavy penalties. GDPR is one such example. Even HIPAA of US falls into this category.
India has already been trying to implement the Chinese model where by Government sector data is to be stored within India through operational guidelines. A law can however be introduced either through the amendments now under consideration for ITA 2008 or through the proposed Data Protection Act being designed.
In taking a view on the required legislation in this regard, we need be clear on why do we like or need Data Localization.
For example, we need to ask Is Data Localisation required
a) As a strategy to increase data storage business in the country?
b) As a requirement to protect the privacy of the data subject?
c) As a means to empower the law enforcement to investigate crimes?
d) As a provision to enable snooping by Government?
If we need Data localization to protect the privacy of a data subject, we need to also pass necessary laws of privacy protection and without such a law, the data localization demand appears less convincing.
Law enforcement or the Government requires only “Access to Data” for their investigation and it is immaterial whether the data is in India or abroad.
There are also enough provisions already in the law to demand production of data for investigation or even snooping (through ISPs) under ITA 2000/8 and quite often the problem is not with the law or the powers of the law enforcement but the willingness of data controllers to abide by the demand.
Under Section 69, 69A, 69B or 70B, authorities in India may demand entities who are collecting and storing data from India to provide access including decryption failing which the entity can be charged for non-cooperation with criminal penalty for the executives of the Company. If the data controllers are not understanding their liability or the authorities not enforcing their powers, then we need to see how do we improve the enforce ability of the law.
Data by its very nature needs to be copied for disaster recovery purpose and also need to be encrypted for security purpose. We therefore cannot legislate that data cannot be copied or encrypted.
Disaster Recovery against “Country Risk” requires storage of data in multiple countries. Hence when we talk of “Data Localization”, we may only be able to insist that “A copy of the Data shall be stored in the local server” which will serve the policing requirement. This is different from the provision of “Data Shall not be moved out of the borders” which is required for Privacy Protection requirements.
We know that Data irrespective of location can be accessed and manipulated from anywhere. Hence data stored here in India may be made inaccessible by encryption or even deleted so that law enforcement is denied access. At the same time even if data is stored elsewhere in the cloud, it can be accessed from India if we have the credentials.
Hence the requirement being pursued that data should be stored in the servers located in India is not necessarily a critical requirement. What we need is “Data Access” which is a function of the willingness to the data controller to cooperate which is addressed in the penal provisions attached to ITA 2008 for not cooperating with CERT IN or Secretaries of Home or IT in different contexts.
One of the other speakers pointed out that even for treaty purposes, a provision under CrPc such as Sec 91 notice can be held equivalent to a judicial order to claim that the respondent needs to comply under the treaty. Under this principle, the need for a new law for cases where the existing law with appropriate notifications may suffice is not supported.
Even if a law is attempted, it may have to restrict itself to “Data of Indian Subjects” and cannot extend to data of foreign subjects processed in India.
In this context we may have to define our Data Protection law with the distinction as to the nationality of the data subject which should become part of the data classification procedure . There could be separate regulations for Personal and Sensitive personal data of Indian subject, Data of non personal kind from Indian corporate, personal Data of data subjects of different countries of origin, non personal data of foreign data subjects etc.
On the contrary if we fully utilize the powers under the ITA 2008, we can achieve all the law enforcement objectives. In case of resistance by data controllers,we have no option to exercise our penal provisions to ensure compliance.
We therefore can think of shedding our fixation on “Server Presence in India” and focus more on “Ensuring Compliance of Data Controllers to Indian law enforcement requirement”.
The concept of “Data Access” being more important than “Data localization” is already enshrined in our law through Section 65B of Indian Evidence Act which recognizes that “Data as Viewed on a Computer can be admissible in a Court of law, if it is produced along with some relevant certificates” without the “Data Container” (The hard disk in which data resides) is brought into the custody of the Court.
We need to appreciate that Data is like Spectrum. It can be experienced but not held in hand. The binary data gets processed in an application and operating system and gets rendered as an text or sound or an image visible or audible by a human being. This effect of the data is what causes legal issues and “Access” is sufficient to provide judicial validity to data wherever it resides as long as it can be accessed from India. If people donot cooperate in allowing such access, they will not do so even if we seize the server and bring it into the Court.
The objective of Data Localization, Data Jurisdiction and Data Sharing therefore boils down to
a) A permission to access data when required
b) Avoid any body else from preventing such access
ITA 2008 provides quasi judicial powers to the Director General CERT-In which extends not only to the Government sector but also to the Private Sector. He has necessary powers to issue notifications that need to be complied with including mandatory reporting of incidents. If these powers are properly exercised, the need for a new Cyber Security Law for Data Localization, Data Jurisdiction and Data Sharing may not arise. Any such new law will only increase the confusion with overlapping provisions in multiple laws.
On the other hand, if we desire to introduce Data Localization for the purpose of increasing Data Storage activity in India, we can do so not only for the storage of personal data of Indian data subjects, but also for the global citizens by implementing strategic business oriented decisions including some legal fine tuning.
For this purpose we need to allow setting up of defined “Data Processing Zones” (One the lines of SEZs) where the processing is made immune by law to intervention of Indian laws. Such Data islands can be used to process data of foreign subjects as per laws of that country. If the services can be otherwise cost effective, there is no reason why data processors abroad may not think of using Indian data centers for processing data of EU or US data subjects subject to laws of their respective countries.
Summary of Action Points
- Law already recognizes that Data is different from the Data Container and while Data Containers can be placed within India, data inside is controlled on the basis of logical access which may be exercised from within the country or outside. Hence Data Localization as a concept of data server being located in India is not a critical requirement. Enforcing Access to data is more critical.
- Law can define classification of data based on the citizenship of the data subject in addition to the sensitivity parameters. Indian law may be able to regulate the law of Indian data subjects irrespective of location of the server.
- Law may liberate the information of foreign subjects processed in India from Indian regulation by creating special Data processing Zones. This will promote Indian and foreign companies to process the data of subjects of their respective countries, subject the laws of their countries with immunity from laws of the Indian Government. This will provide them the confidence that Indian Government does not snoop on this data nor Indian law enforcement seizes the data or asks for access except as otherwise done through treaties. Since the data subjects are not Indian, there is nothing to lose by giving up this right. In the exceptional circumstances, the option of treaty would still be there. This will improve the prospect of “Process Data In India” as a business proposition.
- Though a Separate Cyber Security Law is the flavour of the day with Russia, China, Singapore and Australia adopting that strategy, we donot necessarily follow the herd. To avoid proliferation of laws with overlapping provisions, India may use the existing provisions through ITA 2000/8 with minor amendments to the same act if necessary to meet the requirements of
- having access to data of Indian subjects irrespective of location of servers and nationality of the data controllers and
- to simultaneously liberate the data of non Indian subjects from Indian legal encroachment through setting up of the Special Data Zones.