Governments around the world have been trying to regularise it so that local laws may apply, but this is proving elusive in the absence of enforceable cross-border legal agreements.
By Sujit Bhar
Recently at a function, Tata Sons Chairman N Chandrasekaran reiterated that the government should take proactive steps towards establishing the regulatory standards required for data privacy, data residency and data localisation. The call could not have been made at a better time. Now that the world is preparing for the long leap, as Covid-19 vaccines slowly come into the market, we need to be prepared with all facilities and contingencies. The pandemic has shown that business in the “cloud” is here to stay. Whether people work from home, or initiate B2B or B2C transactions, or take part in physical exchanges with the help of the cloud, or even if they troop back to their offices, cloud computing and data portability will experience similar levels of acceleration, if not more.
That is where data security comes into play. Governments around the world have been trying to regularise data localisation, so that local laws may apply, but this is proving elusive in the absence of cross-border enforceable legal agreements.
What is data residency? Simply put, it refers to the physical or geographic location of an organisation’s data or information. If Company A, based in New Delhi, stores all its data in a California based server, then the laws of India might not apply to it. Why do we need these laws to apply? If a set of data, say, is adjudged by an Indian court to be perverse or as critical evidence, the court would want the data, and the server that hosts it, to be isolated and sealed. Data stored in the server would be an exhibit in the case.
Even if the server is based in California and stores only Indian data, it does not come within the sovereign jurisdiction of India or Indian courts. While it may be technically possible to isolate a set of data within the server that is deemed perverse or critical evidence and electronically “seal” it, the California company might not be interested in blocking large space within its server or servers for which it has invested millions, for a court case in faraway India. This is just one example of the limits of national laws versus the limitless, borderless movements of data, made possible by technology. Hence, data localisation is an issue that has been a hot topic for governments around the world.
Alongside comes the issue of data portability. What does the right to data portability mean? This is a right that allows anybody who has put a set of data into one service or site, to obtain it from that service or site and reuse it for their own purposes across different services. The sense of portability is in the moving, copying and transferring personal data from one to another service without compromising on security. This right will also incorporate the right to have the quality of data undiminished or unchanged. Within this right is also incorporated the caveat that all such data will have only been gathered from the user with his or her consent.
In the UK, for example, some organisations are already offering data portability through MiDATA and similar initiatives that allow people to view, access and use their personal consumption and transaction data in a way that is portable and safe. As the internet develops, this portability facility will help people take advantage of applications and services that can use this data to find them a better deal or help them understand their spending habits. MiDATA is a novel UK government initiative through which customers will have similar power to access market targeted products and services as a service provider would generally have had vis-a-vis the customer. That is just the plinth of such uses.
That the UK government is backing this initiative gives it a sense of security. The basic idea is to give the power of the consumer back to the consumer. The government is working with the energy, finance, telecom and retail sectors, making them release customer data back to the individuals in an easy to use digital form. The government, thus, is backing a high level of portability, as well as assuring its security.
An ideal situation one day could be when you travel and you need your existing medical insurance policy to follow. Logically, your insurer and your hospital would not release your medical data, your expenses and your credit rating and history during such medical transactions. With the help of MiDATA you will be able to present to the hospital abroad your credentials and history, if you so choose, and access medical insurance or, at least, share your medical history for better diagnosis. This is in a nascent stage, hence laws around it are also being developed. One cannot understate the importance of security in this. One needs the assurance of security of data during transfer and an assurance of no corruption of data. The other assurance required is of enforceability of laws of the land. If there is data corruption or data is shared without consent, or if data is hacked, either while in storage or while data is being ported, then the individual should have legal recourse.
Chandrasekaran’s call for adequate regulatory set-up is, therefore, an urgent one. Our legal system has to keep up with the tremendous pace at which technology is progressing. In cloud computing, for example, the user may have no idea where his or her data is being stored, hence will have no recourse to local laws for relief. Suppose you are depositing data in Dropbox, Google Drive or any such paid cloud storage accessory. You would want secure storage and you would want secure portability when a MiDATA-type system is developed in India. You would also want permanent deletion facility if and when you decide to not have any section of data in that particular device. You require local laws to apply, hence data localisation will be essential. These are critical issues and require a historical timeframe.