India wants its citizens’ data to be stored within the country. Now that is easier said than done.
In a draft of the personal data protection bill, 2018, a committee set up under former supreme court justice BN Srikrishna said: “Every data fiduciary (entity processing personal data) shall ensure the storage, on a server or data centre located in India, of at least one serving copy of personal data to which this Act applies.”
Another panel working on a cloud computing policy for India has recommended that data generated from within India should be stored locally.
The idea behind these suggestions is to ensure that law enforcement agencies have immediate and easy access to such data.
While the intentions seem straightforward, such a massive change will involve crossing many huge hurdles.
From legal challenges to physical infrastructure, companies will have to undergo an extensive overhaul to accommodate such a mandate. Among other things, it could raise costs for both Indian and global companies, and force them to tweak their business processes.
“While the (Srikrishna) committee has proposed many sensible things in its framework, data localisation is not one of them,” said Logan Finucan, senior policy analyst with consulting firm Access Partnership. “It has envisioned an awkward system for cross-border data transfers that will do little to protect privacy but will raise costs for digital products and services. Not just foreign companies (will) pay this price, but (even) Indian citizens and companies who use global services.”
India’s data centre and cloud computing business has been growing rapidly and is expected to be a $7 billion market by 2020, up from $4.5 billion now. However, there are concerns about the robustness of the infrastructure that such businesses provide.
Today, most companies store data in centralised servers managed by large cloud service providers that have sufficient expertise against cyber attacks. However, not many Indian data centres can match that level of security.
“India might not always be the best place to store your data if the setup is not geared from scratch for security and privacy and it’s been put up only for compliance reasons,” said Pandurang Kamat, chief technologist at technology service firm Persistent Systems. “(If there is) a company that already has a highly-secure data centre (elsewhere), and they now have to host something locally just for compliance reasons, they may not have the same kind of security protection that they have from their centralised provider…you might actually end up with a worse setup.”
Cybersecurity experts also raise concerns over the idea of having all Indians’ data accessible in a single place rather than having it spread across the world like it is today.
“The bigger concern is that if you try to put data into one place, the entire world knows it and that is where the security risk gets heightened,” said Ashish Aggarwal, senior director at IT industry body Nasscom. “If there is going to be a concerted attack, then knowing that you can get all the data in India makes it easier.”
Such concerns stem from the fact that over 40% of all data breaches in India occur due to malicious or criminal intent rather than technological errors.
Beyond just security, India currently lacks even the basic infrastructure needed to host such huge amounts of data.
The basic requirement to run a data centre is uninterrupted power supply.
While India has overcome its power deficit at the moment, there are still issues around fuel availability and a weak transmission infrastructure.
“In India, we do see a market for data centres and cloud computing but power is a big barrier in terms of pricing,” Aggarwal said.
Meanwhile, data centres also take up large expanses of land, and regulatory glitches around land acquisition and other processes must be smoothened out.
“(The) building code needs to be revisited, otherwise we are having a lot of wastage,” Aggarwal said. “Data centres don’t really need building plans meant for normal buildings.”
What’s the point even?
And even if such barriers are overcome, some experts even question the logic behind hosting data locally.
“In the era of internet whereby anyone sitting anywhere in the world can access the data assets residing anywhere in the world, what purpose does the localisation of data serve?” said Rana Gupta, vice-president at cybersecurity firm Gemalto. “Considering that in many cases, the interaction data being generated will involve interactions between individuals from multiple nationalities, then it is perceivable that the same data will be available in multiple geographies.”