US flexes cyber muscles

With the RBI data localisation mandate becoming effective as of October 15, the debate on its legality and viability is revived. Reports indicate that whilst most entities subject to regulation by RBI have complied, the larger multinationals, who probably account for the larger quantum of transactions, are still resisting compliance.

RBI’s circular of April 2018 pertain only to banks and payment systems that it regulates. Its mandate for data localisation also was restricted to all aspects of payments data. The multitude of commercial establishments, which have and utilise financial data, will be covered only under the provisions of the proposed Personal Data Protection (PDP) Bill, 2018. The deadline for public comments is now closed and the presentation of the final draft Bill is expected soon.

Presently, the draft PDP Bill also clearly provides for localization of critical personal (CP) data, but leaves definition thereof to the Central government. Global trends that are elicited and the recommendations accompanying the draft PDP Bill clearly indicate that a wide spectrum of CP, including data of critical infrastructure, finance and health would probably form part of CP.

RBI may have jumped the gun with its circular pre-dating the draft PDP Bill and Report, but it is not off the mark in its call for localisation. Many of us were sceptical about the call for localisation keeping in mind business needs and practicalities, but there cannot be any quandary about protecting critical data from rampant dissemination.

The objections to data localisation range from economic to absurd – additional costs and teething problems that any change in processes entail, do not appear to be the real reasons for the objections though they are projected, as such. The other objections touted at most discussions across India are (a) possibility of surveillance by Indian law enforcement agencies, (b) breaches and vulnerabilities of systems and (c) purported availability of better infrastructure outside India. The other and more recent objections including from USA is for “free flow of data” to enable businesses and to “benefit users”.

Each of the above objections to data-sharing appear specious. Surveillance was and continues to be a matter of grave concern, but to claim that it is a malaise restricted to India is untenable. Indians would in fact benefit from localisation to the extent that there would be immediate access to remedies against violation of due process. This would not be the case if their rights are violated outside India.

System vulnerability too is not confined to India. As with the vulnerability of systems in USA or Europe, so would it be in India. Similarly, the need to create local infrastructure and systems only spells business opportunities for India. The cost is an on-time investment and the returns and benefits are likely to be sustained over long periods of time.

Finally, free flow of data is and continues to be the bedrock of the Internet, but the very jurisdiction seeking this is the one which moved away from a Net Neutrality regime. That does not justify India opting for protectionist or exclusionary processes. Again, this would be so only if the data localization sought is intended or will result in the same.

Data localization mandated under the RBI circular and that which is envisaged under the draft PDP Bill are not completely protectionist. It is limited to financial data under the RBI circular and CP under the draft PDP Bill.

Scratch the surface and the real reason for opposition comes to the fore. The need for one of the largest caches of data, as India is, stems not just from commercial interests or profits, but from the larger issue of “Control”. USA’s attempt to flex its muscles to coerce RBI to reverse its position or to extend an extremely elongated compliance window, indicates its intent.

Data sharing and control over data has become the new battleground for control. Many an instance of not just data collation or analysis, but of manipulation using data analytics demonstrate the power of data. USA’s ‘‘Clarifying Lawful Overseas Use of Data Act’’ or the ‘‘CLOUD Act’’ and its overreaching provisions for interception and procuring of data of any online user is another illustration of the vulnerabilities that Indians’ data may be subjected to with unfettered data transfers.

The Justice Srikrishna Committee Report indicates that the decision to allow free flow of data and to limit restrictions only to CP indicate a well thought out process.

Apart from loss of control, the next large concern appears to be jurisdiction. There has been consistent resistance from multinationals to subject themselves to India’s jurisdiction. Instances abound of government authorities’ orders and in many instances even court orders not being complied with on grounds of jurisdiction. Localization would necessarily ensure not just ease of obtaining data for investigative, tax and other government purposes, but also for victims and litigants to enforce their rights more expeditiously.

The final fear-factor appears to be the nemesis of “taxation”. The Income Tax Act, 1961 already defines the principal place of business wide enough to encompass the place where a business, profession or vocation is situated. Localization by itself would mean implementation of local infrastructure, which may give the taxman his much-needed jurisdiction.

Data localization is here to stay. RBI’s circular and its implementation by a substantial number of entities governed by it has already proven feasibility. National interests, exercise of sovereignty, need for easy access to data and possibly preventing foreign surveillance and dissemination are all bound to prevail over external pressure, for the Indian Government to pass the provisions for data localization.

The writer is an Advocate, Supreme Court and Bombay High Court specialising in cyber laws. Views are personal.