Data Sovereignty: “Hunooz Dilli Door Ast”

“India will not compromise on its data sovereignty,” the Union IT and Telecom Minister Ravi Shankar Prasad remarked last year, which ignited the debate in the town about the data being the new oil and how countries want to preserve this resource, the potentials and value of which are not yet fully identified. 

To begin with, as is a known principle that every piece of information either on Facebook, Gmail, Instagram, Tik Tok, etc., is stored in the form of 0s and 1s in a device. Thus, data sovereignty refers to the idea that data belongs to the jurisdiction of the nation-state where it is originally stored in binary form and is subject the laws of the country in which it is physically based and collected.  

The last two decades have witnessed exponential progress in the field of digitalization. Needless to say, what began as an acceptance to the idea to recognize business transactions done digitally has now taken a shape wherein a cyberattack on a nation can paralyze and bring down a nation on its knees. 

Every boon is accompanied by a bane. Thus, the advent of technology proportionately increased the number of criminal activities which were either committed in the digital sphere or were propelled by digital tools.  

Such situations forced the local law enforcement authorities in India to seek information from the companies for the investigation and detection of crimes on several occasions. However, instead of replying and providing information, such companies at several occasions have asked the authorities to send letters/representation to the governing nation states by taking the plea of different jurisdiction, thus dragging the investigation in red tapism. 

Due to all the aforementioned and the unidentified potentials of the data, Data Sovereignty gained significance as when data was being stored within the jurisdiction of the governments, they acquired more and more power over it, as it is being governed by their own laws and thus ensures sovereignty. 

The European Union (EU) was quick to identify the requirement for the procedure, protection and control over the personal data collection of the EU citizens’ and residents. EU started the process for development of data protection framework 2012 and finally adopted the General Data Protection Regulation (GDPR) in 2016. GDPR today acts as gold standards in the field which are followed globally. According to it, organizations which collect or process the personal information of EU individuals must store the data within the EU or in a jurisdiction with similar data protection standards.  

In India the requirement of data localisation and the need for the sovereignty of the Republic of India over the data was first highlighted by Justice BN Sri Krishna Committee report on data protection and addressed in the Data Protection Bill.  

The Data Protection Bill, 2019 introduced in the Lok Sabha in December 2019 and thereafter recommended to the Joint Parliamentary Committee, that is yet to submit its report. However, upon enactment this will be the first comprehensive legislative framework of the country which address the issue of data protection holistically.  

Allegedly the most controversial provision of the Data Protection Bill is the requirement from the companies and enterprises to store and process data within India’s geographical boundaries. Needless to say, data localization would ensure a greater control of the Indian government over data, thus the need to ensure proper check and balance so that the powers entrusted on the government are not misused. 

One of the common criticisms of data localization is that it will act as a disincentive to the multinational companies to expand their businesses in the country as the excessive restrictions on storage of data within the territorial boundaries of India will incur heavy costs. But as a matter of fact, India offers the highest number of internet users in the world, thus the ever expanding market and consumer base in India is the biggest factor that tilt the balance of convenience in favour of the Indian government, which would ensure that the organizations would necessarily comply with the data protection laws of the land if they desire to operate in India. 

However, the bill is delayed due to the COVID-19 pandemic situation in the country. With each passing day, more and more data is being transmitted to foreign jurisdictions. The Government of India must act proactively to identify that the data transmitted is data lost. The enactment of the Data Protection Bill would be India’s first step towards data sovereignty but achieving the desired objective would be a long way to go. The Indian Government should act swiftly because Dilli abhi door hai janab!!