Data Localization- Mercantilism in a Networked World
Economic ideas do not die. They resurface again and again, repackaged and refurbished, when the time suits it. Mercantilism is such an idea that politicians and policy makers love to espouse, albeit periodically. The basic premise of this doctrine is that international trade is a zero-sum game. The role of state is to protect domestic industries by building tariff and non-tariff barriers and encouraging export. The obvious appeal of this doctrine to general people is not difficult to understand. It gels well with the notion of national security, national pride and preservation of national assets. It was expected that in the age of internet, such ideas would be considered anachronistic and would lose their currency. But that is not to be.
Data is considered to be the most valuable asset of the 21st century. The most valuable companies of the world are those which are primarily engaged in data crunching. The business of Google, Uber and Amazon would come to a standstill if they could not access, process, and analyze data across time and geographies. Once nation-states realize that the most valuable assets of their citizens and territories are available for commercial exploitation freely, clamor for protection of these assets naturally arises. While individual citizens are rightful owners of their “personal data”, its exploitation without the consent of the concerned persons is a serious infringement of privacy of the person. The European Union (EU) has been in the forefront of creating a stringent legislative framework to protect the “personal data” of its “data subjects”. The EU’s General Data Protection Regulation (GDPR) ( see here) is the most comprehensive regulation enacted so far by any competent authority anywhere. But the overarching requirement of privacy protection does not necessarily imply that all data originating within a nation’s jurisdiction are to be considered as national assets. If “data subjects” are given national tags, it follows that nations-states would consider within their right to create barriers to cross-border data flow. The recent “data localization” policy of RBI needs to be analyzed from this perspective.
The term “data localization” is meaningful and relevant mainly in regard to data flow over the Internet, which is a network of computing devices without any single point of failure and consequent enabling of universal communication capability between all nodes. The internet service providers are not expected to control and be aware of what data flows through internet. Data localization, in essence, is a negation of this architectural construct of Internet. There are two forms of data localization. The first one localizes storage of data. It means that internet service providers must store data originating in a nation-state within the territorial boundary of that nation-state. The second form of data localization policy stipulates that routing of data packets must be confined within the country specific network. This form of localization is also called localized data routing. This is the most restrictive localization policy. Countries adopting data localization policy mostly adopt the first form of data localization. Chander and Le have identified following variants of this form of localization policy: ( see here here )
1. preventing information from being sent outside the country
2. rules requiring prior consent of the data subject before information is transmitted across national borders
3. rules requiring copies of information to be stored domestically
4. a tax on the export of data
Data localization policies are being adopted by many countries because of the genuine concern of many national governments about the disproportionate capability of USA to access sensitive data pertaining to the respective countries’ national security available on data stores of Internet service providers, many of which are located outside the national boundaries of the concerned states. The Snowden episode confirmed the existence of a nexus, probably forced, between US security establishment and US technology firms including Google and Yahoo. Subsequent to Snowden revelations the German Interior Minister declared that, “whoever fears their communication is being intercepted in any way should use services that don’t go through American servers.” ( Hill 2014) The concerned ministers of France and Brazil unequivocally lent their support to data localization policy. It is beyond doubt that one of the important factor of data localization policy of non-US countries is their desire to minimize “their comparative disadvantage in Internet data hosting” vis-à-vis US and “their comparative disadvantage in Internet signals intelligence”. ( Selby 2017) ) Thus data localization policy is being adopted by countries cutting across political regimes as a comprehensive review by Chander and Le shows. 14 countries studied by them are: – Australia, Brazil, Canada, EU, France, China, Germany, Indonesia, Malaysia, Nigeria, Russia, South Korea and Vietnam, besides India.
Accepting that above concerns of national governments is legitimate and requires to be addressed by the proponents of open and neutral Internet, a more informed and rigorous analysis is required to evaluate costs and benefits of data localization policy. It must be stated to the credit of the US technology giants that they are more concerned to uphold the sanctity of Internet than succumbing to the narrow national interest of US governments. For example, Microsoft, Google, Apple, Facebook and other technology firms successfully fought U.S. government in court “to gain legal authority to provide the public greater detail on the information the U.S. government collects from them”. (Hill 2014) Many companies are taking steps to diversify their data center locations to escape stranglehold of US intelligence agencies.
Tying data to territorial boundary, also termed as “Data Sovereignty”, is a natural extension of the concept of sovereignty to the virtual world. Sovereignty connotes supreme authority within a territory. The term authority refers to, in the words of philosopher R.P.Wolff, “the right to command and correlatively the right to be obeyed” (see here). In a modern democracy this authority is derived from a set of principles, objectives, practices and code of conducts called constitution. “Data Sovereignty” means that this supreme authority can be enforced on data originating and /or pertaining to the people subjected to this authority. But despite their best efforts, the modern nation states have not been able to quarantine their national data in their entirety. This diminishing effect to a sovereign’s authority over data of their citizen is the driving factor of data localization policies of different countries. Even a country specific domain name like www.abc.co.in does not indicate the physical location of the server which hosts the website and provides information or services. Thus Internet is indifferent to physical location of computing devices comprising the cyberspace. So defining “Data Sovereignty” in terms of territorial authority is a non sequitur.
Recognizing the futility of transcribing laws enacted and bounded by physical space to cyberspace, Johnson and Post has called for “distinct laws” for this virtual space (see here). For example, how do we apply anti-trust laws to companies which operate only on cyberspace? The landline based telecom companies fought to restrict Internet based voice call (VOIP) but failed miserably. Digital currencies are being resisted by all central banks but there is no doubt that in the long run the central banks have to fall in line and adopt some form of central bank digital currency. Applicability or otherwise of country specific copyright laws to the cyberspace is another example of distinctive nature of cyberspace. A subscription based access to copyrighted contents on Internet has materially changed the consumers of these contents and its producers, resulting significant benefit to consumers in terms of reduced cost.
The proponents of free trade policy have pointed out how data localization policy is reincarnation of mercantilism in a virtual world. Treating data as an asset, nation-states wants more of such assets to flow to its own territory while for cyberspace location of an asset is of no consequence.
Let us, for example, suppose that Google is forced to store all data pertaining to Indian users of Gmail in India. First of all, how does Google identify a user as Indian? Presumably, it can be done by identification of IP address of the user. But what is to be done in regard to an Indian trying to register as Gmail user from abroad? Or when a foreigner is registering using an Indian IP? If an elaborate e-KYC norm is imposed on Internet users, it would be so cumbersome and costly for Internet service providers that the present practice of free Internet would be a casualty. Furthermore, if all data of a citizen are stored within the national boundary, the citizen might face difficulty to access her own data from abroad, if no mirror dataset is available in some other geography.
Internet works on routing of messages. This works on Domain Names identification and resolution of address within a domain. Today there are about 330 million domains. Even if a sovereign authority blocks access of its citizens to some domains, new domains can be created within no time to bypass such blocking. China is reported to have created the most restrictive firewall for access to Internet by its citizens. This might have helped in creating some of the world’s largest Internet enterprises like Baidu, Tencent and Alibaba. But it will also prove to be the greatest hurdle to realization of China’s dream of becoming the world’s dominant superpower. It is doubtful whether world population at large would like to share the fate of Chinese citizen – described as “world’s biggest prison for netizens.”
The hypothesis that data localization would prevent a foreign government’s ability to snoop on sensitive personal data of citizen of a nation-state is not borne out by some recent cyber-attacks, allegedly orchestrated by foreign governments. The alleged Russian interference in USA presidential election shows that in a networked world the security of data is not enhanced by creating physical access barriers to such data. The recent example of malware driven data hacking of Core Banking System of Cosmos bank of India is an example of the false assurance that location provides guarantee that data would be secure. It has been reported that NSA of USA has “even scaled the Great Firewall of China”. Thus data localization does not serve its primary purpose.
From a technological point of view, data localization is not a very efficient solution for running any cloud based application. A massively large database must be partitioned and stored in distributed databases. Today one type of partitioning known as “sharding” is followed by most large databases. Sharding breaks down very large databases into smaller databases to manage data retrieval very fast. Even a single record can be sharded into smaller parts. Database sharding allows maintaining very large data in less expensive commodity servers. A cloud based application cannot scale up if it maintains large databases in one place. The cost of maintaining data can increase exponentially because such large database would require high-end computers.
RBI’s data localization policy
RBI in a circular dated 6th April 2018, instructed all payment system providers “to ensure that the entire data relating to payment systems operated by them are stored in a system only in India. This data should include the full end-to-end transaction details / information collected / carried / processed as part of the message / payment instruction. For the foreign leg of the transaction, if any, the data can also be stored in the foreign country, if required”. (see here)
RBI’s data localization policy is driven by its intention to get unfettered access to payments data originating in India for surveillance purpose. RBI argues that such access is an absolute necessity for effective detection and prevention of any money laundering activity. The purported reason for requiring data storage “only in India” is that, in the event of any conflict with the country hosting Indian payment data of a service provider, Indian regulator may be prevented from accessing such data.
Although such an eventuality cannot be ruled out, in today’s interconnected world no country can unilaterally deny access to payment data pertaining to citizens of another country. Many countries including India now share financial and taxation data with other countries through bilateral or multilateral agreements. For example, India has signed bilateral agreement with US Tax authority to identify, document, and report U.S. accounts to comply with the U.S. Foreign Account Tax Compliance Act known as FATCA. A U.S. account is an account maintained by a U.S. person (whether individual or entity) or by a foreign entity with U.S. ownership of more than 10% of the capital, whether directly or indirectly. OECD countries are signing similar financial data sharing agreements amongst themselves and with other non OECD countries under the Automatic Exchange of Information (AEoI) initiative of G20 countries. Obviously such sharing cannot be a one way traffic. India being a member of G20 can direct the payment service providers to store data with such countries with which it has such data sharing agreement. If such an agreement is made on reciprocal basis, outright denial of access to India’s own payment data can be of remote possibility. India can mandate payment service provider to share all cross-border transactions with RBI through a FATCA type agreement with the host country storing Indian payment data.
As regards money-laundering and terrorist financing, India is a member of the Financial Action Task Force (FATF) and has implemented its recommendations. Data localization is not a recommendation of this international body. Additionally a government can enter into Mutual Legal Assistance Treaties (“MLATs”) with other countries to access data stored in another jurisdiction but needed for its own lawful investigative purposes.
Data sans Frontier
The pervasive effort towards data localization by nation-states is a reflection of deep insecurity that the nation states are feeling in a networked world. It is not understood that the rules of games have changed forever with the introduction of a radically different communication and workflow management architecture – that is Internet- that encompasses the entire world. The allurement of Mercantilism to the general public lied in its apparent pragmatism and simplicity. It ignored the feedback effect of such a policy and long-term consequences. The same is true of digital mercantilism that is driving the data localization policy.
Internet was lapped up by nation-states when it appeared to be a mere new form of message transfer. It was not understood how the new technology is going to undermine the basis of nation-states- that is the sanctity of the national frontier. “America First” is a vacuous and anachronistic concept when the most valuable US incorporated firms produce goods and services cutting across the national boundaries.
Let me conclude by referring to the reactions of policy makers when Galileo introduced his telescope to the policy makers. A senator in the Bretolt Brecht’s drama “Galileo” exclaimed- “the contraption lets you see too much. I’ll have to tell my women they can’t take baths on the roof any longer”. Galileo then attacked their materialist attitude saying: “These people think they’re getting a lucrative plaything, but it’s a lot more than that”. I am afraid that our policy makers are no better than these senators of Galileo’s time.
Castro Daniel(2013) The False Promise of Data Nationalism paper published by The Information Technology & Innovation Foundation (ITIF)
Drake William J (2016) Data Localization and Barriers to Transborder Data Flows: Background Paper for World Economic Forum conference (http://www3.weforum.org/docs/Background_Paper_Forum_workshop%2009.2016.pdf)
Hill Jonah Force (2014): The Growth of Data Localization post Snowden: Analysis and Recommendations for US Policymakers and Industry Leaders in Lawfare Research Paper series July 2014
Selby John (2017): Data localization laws: trade barriers or legitimate responses to cybersecurity risks, or both? in International Journal of Law and Information Technology, 2017