The ecosystem of data protection, data localisation and the associated issue of data privacy in India are of contemporary nature and are fast evolving. Various issues related to these topics were in the grey until the recent landmark nine-judge bench judgment of the Supreme Court of India which unanimously held that privacy is a constitutionally protected right to be guaranteed by the fundamental rights contained in part III of India’s constitution. The major implications of the verdict will be seen in the virtual space of the internet and the associated sectors of e-commerce, search engines and data protection companies. The privacy issues related to the virtual world will be compounded as more and more Indians are using the internet platform, with internet penetration currently standing at 31% of India’s total population. It will be interesting to see the legislative evolution of data related laws and the various business alignment and shifts as per the prospective legislation.

Moreover, the pre-eminence of data as a resource in the 21st Century is colossal to such an extent that The Economist in its May edition equated it with oil. Various Indian businessmen and technocrats have had similar sentiments from business and data democracy perspectives respectively. Businesses of data oriented companies have already turned out to be more valuable than companies clocking more sales on a quarterly basis. The traditional laws concerning mergers and acquisitions; and laws relating to anti-trust have to evolve with infusion of data technology companies. The efficiency in public service delivery of government welfare programs will greatly benefit from use of data and technology. On the other hand, the issues related to data theft make the tech giant companies vulnerable and has the tendencies of jeopardising the privacy of recipients and beneficiaries of government’s policy initiatives.

Apart from the traditional natured threats, the non-traditional threats of cybercrime have become especially notorious. Following reasons make cybercrime a potent weapon against the firms in the 21st Century: Investment associated with such attacks is minimal; it has high ‘bang for the buck’ effect and is carried out in a swift manner catching authorities off guard; it is difficult to pinpoint the exact location of the crime area; laws and regulations concerning data protection are inadequate (especially in India); there is no uniformity in such laws across the countries; and it is difficult for the regulatory authorities to keep pace with ever changing technologies. As mentioned before, cybercrime is a growth industry.

As per the recent Intel Security Report annual cost to the global economy from cybercrime is more than $445 billion, including both the gains to criminals and the costs to companies for recovery and defense. As per the report of Data Security Council of India, in 2016 in India, a sum of Rs 13 million was reportedly lost in fraudulent transactions because of a malware attack on debit card details. In fact, India’s financial data is so vulnerable that out of all kinds of data breaches in 2016, 73% were based on unauthorised access to financial data and identity thefts. At present there are moderate to limited data protection laws in India. Various regulatory bodies like Telecom Regulatory Authority of India (TRAI) and India’s Central Bank have come up with respective consultation papers which will lead to drafting of rules in this regard by 2018. Also, by May 2018, the European Union’s General Data Protection Regulation “GDPR” will come into effect. As such there are no global model laws on data protection and GDPR being continental in nature is the only widespread (geographically) law that will come in existence in near future. However, there are available guidelines on data protection and data transfers (localisation). Two such recent guidelines are: “Data Protection Regulations and International Data Flows: Implications for Trade and Development” by United Nations Conference on Trade and Development in 2016. A technical paper by International Organization for Standardization (ISO) in 2015 talked about detailed technical guidance on how to effectively manage all aspects of data storage security, from planning and design through to implementation and documentation.

In addition to the purported losses on account of data theft, a whole new category of issue that the policy makers in various countries are deliberating is of data localisation. Data localisation, simply put, is about a restricted cross-border flow of (personal) data and coming up with legislations to encourage local storage and data processing activities. Owing to the business implication associated with data, the stakes are high between data protection and data localisation. The human rights groups would deliberate the issue from the privacy perspective and would consider data movement across the border as its violation. On the other hand it has various business implications.

A country like India with its comparative advantage in the service sector of information and communication technology stands to gain as various internet based companies would consider setting up data centers here thereby creating jobs across sectors. However, in wake of data being seen as a commodity that can catapult the economic fortunes of a country to a higher level, the national governments of various countries are in the process of coming up with legislations for data localisation. Indian government too is contemplating laws for data localisation. As mentioned previously, TRAI has come up with Consultation Paper on Privacy, Security and Ownership of the Data in the Telecom Sector. It mainly talks about data protection, different stakeholders in the digital ecosystem and the emerging GDPR. The TRAI consultation paper has sought for comments and recommendations from the relevant stakeholders. The consultation paper is silent on the time factor of the law as in will the new law be prospective or retrospective in nature. Whereas, GDPR was prepared in 2016 and will come into effect from May, 2018. The two year period was provided as an opportunity for various businesses to tweak their operations and become compliant as per the stipulations of GDPR. Article 44 of GDPR specifically talks about data transfer and data localisation aspects.

A question enmeshed in this debate is as to who really owns the personal data, is it the people, is it the national governments, is the service provider or is it any other stakeholder? The paper talks about this issue and states “Data is the personal data of the individual but the ownership rights, authority to use, transact and delete this data are presently ambiguous”. Getting a wind of Indian authorities examining the issue and a proposed rule, making it mandatory for internet and mobile companies to store user data locally, Twitter recently told its users in India that the data collected from them could be moved outside the country. Such pre-emptive changes in the privacy settings of Twitter are an interesting development in this regard and one may expect more of such changes in near future.

Ultimately, all the relevant stakeholders must rally around a consensus which upholds right to privacy and quality of life where the commercial interest of an individual and of a business is protected.