If you expect a healthy dose of nationalism in policy-making ahead of 2019, you won’t be disappointed. Still trying to digest last week’s Personal Data Protection Bill draft and 213-page report, I found in my inbox an undated 19-page ‘E-Commerce Draft National Policy Framework’, marked ‘strictly confidential’.
Data is the oil of the digital economy, it said. And that data from e-commerce platforms, social media, search engines…should be stored exclusively in India. And be ‘shared’ with the government. And RuPay, the Indian government’s alternative to Visa and Mastercard, should be promoted strongly.
Think about that. If this Commerce Ministry draft became law, Google, Facebook, Twitter, Amazon…they’d all need to isolate and store user data in India for all services.
But back to last week’s highlight: the Friday release of the much-awaited report of the Justice Srikrishna Committee of Experts on Data Protection, along with the draft Personal Data Protection (PDP) Bill.
Not everyone had waited patiently for this draft.
TRAI had jumped the gun with its ‘Recommendations on Privacy, Security and Ownership of Data in the Telecom Sector’ released on July 16, with the Srikrishna Report weeks away. Side note: telecom is the biggest data player. The mobile (a billion of them) is the real on-ground identity. It’s also central to Aadhaar, bank account, wallets, everything.
And the RBI had issued a terse circular in April, directing all payments providers to store their data only in India — with six months for compliance. This was a high-voltage shock to payment firms such as Visa and Mastercard, and a nice fillip for NPCI (and its RuPay) and Paytm, which discovered nationalist nirvana.
Despite global criticism and representations by payments firms and trade bodies such as USISPF and NASSCOM, the RBI dug in its heels. Its public response was to issue a letter demanding a compliance update.
And now, the draft PDP Bill of July 27 goes further than even the RBI in placing pre-Internet-era restrictions on cross-border flow of data.
First, the draft PDP Bill classifies all financial data, even passwords, as ‘sensitive’, something that should really be used for data that can harm people, such as by profiling and discrimination, as committee member Rama Vedashree wrote in her dissent note towards the end of the report.
Balkanizing the Internet
Second, the draft Bill restricts cross-border flow of sensitive data. Such data would have to be mirrored in India, for government access. If it’s further classified as ‘critical’, then it would have to be stored only in India.
The RBI folks are jumping with joy. For not only does the draft PDP Bill back their stance, it extends it to all financial providers, including banks, and not just payments firms.
Wait. This is 2018. The Internet is a global network. Cloud-based systems are global. Your Gmail isn’t stored in one box in California. If you balkanize the internet and isolate it into boxes separated by borders, you begin to destroy the foundation of the internet.
Payment providers use their own secure global networks. And global platforms, tools and data-sets for fraud mitigation, anti-money laundering, customer safety and service. Add AI and machine learning, and you have a system that depends on global tools and third-party service providers.
Example: three point-of-sale payments happen on one card in quick succession in three malls in Milan. It’s borderline, but the third transaction is blocked and a message goes to the user. The user calls, says she is not in Milan. Her card is blocked. Machine learning kicks in: the system learns this was the right call for this pattern, and shares this learning globally. The next day a similar pattern is detected and blocked in Pune.
Machine learning algorithms also forage the internet for recent online activities: social media, payment patterns, IP location, device activity, billing address. The more data points algorithms gather for you, the better they can detect pattern violations — and lower risk for you.
Now, the RBI says: keep customer data only in India. Even if it allows live processing outside, that does not let AI or machine learning draw on global datasets. That reduces security. Apart from the cost of replicating those global platforms in India. There’s also reciprocity. If the global networks aren’t allowed access to Indian dataset archives, why should Indian networks be allowed global data access?
And then there’s a world beyond financial data that harsh data localisation will impact.
The local password
What happens to email? While it hasn’t been explicitly mentioned, the draft PDP Bill says passwords are sensitive personal data. They must thus be stored in India, at least as a mirror. Does that mean all passwords for all services — email, Facebook, Twitter, every online service in the world? Subscribe to NYT or Playboy and your password should be in India!
This is bizarre. It’s a deal-breaker for every global online service. Let’s start with Google, which does not segregate Gmail users by their home address, and so has no easy way of isolating ‘Indian’ users. Even if it did, there’s no way it’s going to move data, or passwords, of ‘Indian’ users of Gmail to India. The same applies for Facebook, or Yahoo, or any other global online service.
Let’s talk reciprocity. If India goes extremist on data localisation, inspired by China (and Europe), why would the West not strike back? Starting with that fount of new-found nationalism, Trump’s America? Our software and BPM services export revenue of $126 billion is predicated on free cross-border flow of data. India processes the Western world’s financial data. Even if the RBI hasn’t asked to block real-time global processing of financial data, there’s no guarantee of precise eye-for-eye reaction. If the Trump administration strikes back with ‘no processing of US sensitive data in India’, there goes much of India’s BPM exports.
There’s still hope: there will be stakeholder consultations, as the IT minister has committed. And of course, enacting this Bill into law is a long way away, though the RBI could well go ahead with its harsh data localisation demands, striking at Visa, Mastercard and others.
But I’m not holding my breath on the stakeholder consultation. The swadeshi wave is rising.
The connected, global digital economy of 2018 may need to give way to the realpolitik of 2019.
The writer is a tech policy and media professional.