The report of the joint parliamentary committee (JPC) on the Personal Data Protection Bill, 2019, continues to form the basis for consideration in the Lok Sabha for the legislation protecting the privacy of the individuals. The current proposal would require localisation in India of an undefined but perhaps broad category of ‘critical’ data, in addition to the localisation of ‘sensitive’ data, and payments information already required by RBI in 2018.
The proposed Bill fails to set limits on GoI’s access to personal data. Where data must be stored in India, or cannot be transferred to other countries, according to Rishab Bailey of New Delhi’s National Institute of Public Finance and Policy, ‘localisation may make it easier for domestic surveillance over citizens.’
Localisation also poses severe risks for cybersecurity. In a February 2022 study (bit.ly/3aP36Fz), DeBrae Kennedy-Mayo and I have analysed this. These risks can arise from measures such as the proposed Indian law or the current limits on data transfers after the Court of Justice of the European Union’s (CJEU) Schrems 2 decision in 2020.
For India, the most severe harm may come for the enormous market in third-party cybersecurity services, estimated globally at over $200 billion a year. The 2019 parliamentary report emphasised that India’s IT sector is ‘highly integrated in global data flows’, adding that IT and IT-enabled services (ITeS) account for ‘around 40% of India’s exports, 65% of IT/ITeS produced in India are for global clients, and another 15% are delivered through commercial presence of our IT firms in other countries.’
Consider how limits on transfers of data would affect India’s IT/ITeS. The effects of localisation rules occur when personal data leaves the country. A provider in India, offering services to other countries, would, thus, face prohibitions at the moment of transfer. Such prohibitions could apply to ordinary customer records, such as the information sent outside of India as part of a customer service call or web support session.
For cybersecurity services in particular, however, the effect could be especially severe. Consider a cybersecurity services provider based in India. A customer outside India might contract with the Indian provider to detect high-risk activity, such as IP addresses, emails or other personal data associated with malicious activity. However, with localisation, the Indian provider would apparently not be able to send that sort of data to its customers in other countries – unless an exception existed for such transfers, not currently in the proposed legislation.
More generally, cyberattacks occur worldwide, and cybersecurity service providers need to get constant updates about the details of attacks occurring in other regions of the world. Not only would Indian cybersecurity services be impacted, but so would firms in India seeking to protect themselves against online attacks.
Today, a company’s cybersecurity operations often depend on numerous third-party providers, specialising in different niches such as intrusion detection, authentication and cryptosystems. These, in turn, often rely on numerous sub-contractors for different aspects of their service. Localisation is a bad fit with the complex data flows among third-party contractors and sub-contractors. The best cybersecurity solution for a company could only be permitted if all of them were in India. That is not the case today.
Many best-in-breed cybersecurity services are provided from the US, Europe, Israel, etc. If the Indian firm cannot share the data needed for the service, then it can’t purchase the best available cyber defences. Such lack of availability harms not only the individual firm but will make Indian firms in general easier targets.
Along with this harm to cybersecurity services, a second effect of localisation would be to disrupt the integrated management of cybersecurity risk in an international company. The recognized standards for managing cyber risk are International Standards Organisation (ISO) 27001 and 27002.13 of the 14 ISO controls, and numerous sub-controls, would be negatively affected by localisation requirements.
For instance, localisation can disrupt the ability of a company to know which employees and customers have access to which parts of the system, when the system operates in more than one country. Specifically, in light of India’s abundance of IT support experts, localisation may disrupt their ability to provide services, not only as a third-party service but also within an international company.
It is ironic that data localisation, often proposed in the name of security, can actually pose substantial risks to cybersecurity. As India considers passing the data privacy Bill, policymakers should consider the cybersecurity risks by localisation. To protect cybersecurity, international data flows are important for Indian firms generally and Indian IT/ITeS providers specifically. At a minimum, lawmakers should consider exceptions to localisation that would protect security.
These statements are attributable only to the author, and their publication here does not necessarily reflect the views of the Cross-Border Data Forum or any participating individuals or organizations.