Blog

Editorial Simplified: Storage Not Same as Control | GS – III

Relevance: GS Paper III (Science and Technology)

Why has this issue cropped up?

Amongst a host of recommendations concerning aspects of privacy and consent definitions, the report of the Justice Srikrishna Committee (JSKC) appears to be generating considerable debate and views around its Clause 40 on data ownership.

What is Clause 40 ?

It deals with Restrictions on Cross-Border Transfer of Personal Data, which states that:

  1. Every data fiduciary shall ensure the storage, on a server or data centre located in India, of at least one serving copy of personal data to which this Act applies;
  2. The Central Government shall notify categories of personal data as critical personal data that shall only be processed in a server or data centre located in India.

This clause has sparked heated discussions on what constitutes critical, personal and who decides, this article does not deal with these aspects.

Storing data

  • A host of governance initiatives like eMudhra and also several private applications are currently being developed on ultramodern distributed ledger (popularly known as blockchains) and edge-computing technologies.
  • By their very definition, such technologies work on global chains of storage where data can reside in any part of the world but access is granted only to those with requisite permissions.
  • These cutting-edge fields could place India on par or even ahead of other advanced countries in delivering efficiencies to its citizens and its economy.
  • However, implementing the JSKC data storage recommendation is tough as law could negate these beneficial possibilities and, in fact, cause serious consequences, as Indian companies working on such technologies (including the government) would be disadvantaged significantly since they would need to create India-specific private blockchains.
  • Not only would such private chains add onerous costs and huge time delays but would also be unnecessary due to the technologies prevalent today.
    The example of Estonia
  • It is interesting to note the example of the tiny nation of Estonia, which has rolled out a technology called Keyless Signature Infrastructure (KSI) to safeguard all its citizenry data.
  • Essentially, KSI encrypts all the data and stores the encryption keys in a blockchain distributed across across a national network of government computers. Actual storage of the data can thus be anywhere in the world, as per efficiency dictates.
  • Estonian government officials can monitor changes within various databases, such as who has made changes to a record, what kind of changes are made, and when they were made.
  • The electronic health records of all its citizens are currently managed using this technology, and the country is planning to make it available to all government agencies and private sector companies in the country.
  • The example of Estonia and KSI shows that the place of storage of data does not automatically guarantee access, control or security.

Implications of JSKC’S recommendations

  • The implications of JSKC’s technologically-challenged recommendations could be significantly disadvantageous to India’s data ambitions. For example, the economics of data centres and storage has power and land accounting for greater than 75% of the costs. Countries that are more efficient in these aspects will hold the competitive edge in storage.
  • Mandating companies to store data in India-specific data centres or country-specific blockchain would affect efficiencies across sectors. Be it the long-suffering agriculture sector where the NITI Aayog plans to use blockchain to track soil-testing data or the beleaguered banking sector that is forced to store information on India-based data centres, transaction costs will go up across the board and inefficiencies will consequently get passed on to the common man.

Data protection initiatives

  • The NITI Aayog is expected to shortly release its paper on IndiaChain. It will clarify the advances made in technologies like blockchain and provide a mechanism for secure storage of encryption keys in a country-specific set of servers.
  • Adding this to the IndiaStack like eKYC and UPI will not only protect the privacy concerns of our citizenry including Aadhaar, but also encourage rapid adoption of blockchain-related projects at scale.
  • IndiaChain, developed and run cooperatively by technical institutions, government and relevant independent organisations, can also federate the responsibility and accountability of maintaining privacy and security of personal information of data subjects, which is one of the serious concerns of the Data Protection Bill.
  • Such in-country stored encryption keys not only “protect” but also “control” insofar as data can be retrieved should there be a legal need to do so.
  • These structural initiatives will do away with the ill-conceived notions of assuming locations of data storage being the only way to control and protect data privacy.

Conclusion

There is a clear potential for public policy to position India at the forefront of blockchain advancement, while European nations are still at a nascent stage of signing declaration of cooperation of European partnership. A structural approach is needed to make the Indian elephant dance to the tunes of innovation and new technologies.

 

Tags: , , , , , , , , , , , , ,

Leave a Reply