Data localisation measures run contrary to best practises in lawmaking. Besides increasing cost and decreasing choice for users, they are bad news for startups globally. Contrary to their intent, such measures make data protection harder.
Data protection is in startups’ DNA. While some applications are indispensable for users, deletion is only a click away if users mistrust a new product that a startup offers. That is why data protection is of paramount importance to startups.
Hence, new data protection bills should always seek to balance obligations against the impact on innovation and smaller players like startups. Unfortunately, the opposite occurs when regulators prescribe a technological solution. In the case of the new Personal Data Protection Bill in India, the remedy that the Srikrishna Committee has falsely identified is data localisation. Now it seeks to impose it on the whole economy.
Lessons from Europe
We’ve been here before: In Europe, the General Data Protection Regulation went live on 25 May, 2018. Although it might still be too early for a final analysis of the impact of the regulation, first evidence shows that implementation is moving ahead, bit by bit. In this process, startups and businesses are trying out new methods and refining them.
Prescribing a technical measure would make compliance far harder. Equally, technical measures inherently run the risk of becoming outdated: How do you know that this measure, say data localisation, might not be unworkable tomorrow? That is, if it isn’t already by the time the law is enacted.
On the other hand, free flow of non-personal data is an example of a regulation that addresses one problem with one solution. Identifying that data localisation can only harm data protection, it seeks to remove all unjustified barriers. This could be ‘a ferrari for startups in Europe’.
A law is only as good as its enforceability. Regulators should strive for laws that can have a 100% implementation rate. To do so, check if it can be implemented by the smallest players in the economy, the startups. If not, might there be something wrong with the way the law is setup?
Bad for startups abroad, bad for startups in India
The answer is: Forced data localisation makes companies less competitive. According to a European Commission survey, 80% of organisations reduced costs by 10–20% as a result of online services and data storage. Prohibiting such online services would be synonymous with a cost increase for startups.
Besides generating additional business costs, the measures will favour larger players, who will have an easier time making a large upfront investment to enter a new market. Forced data localisation impedes cross-border data flows that are essential for companies, especially SMEs and startups, to compete in the global economy.
Instead of encouraging a highly competitive market, regulators will pick winners and losers. Incumbents in closed markets will be favoured, while new ideas will have a harder time to get a foothold. The other side of the coin is that startups in India would have less choice, higher costs and be less prepared to compete globally. For Indian consumers it would lead to less diversity of offerings and higher prices for consumers.
Avoiding a “Splinternet”?
To be clear, data localisation does not add to data protection. Data should be well protected, but it is not dependent on where it is stored. In truth, a startup can invest a lot more in data protection if it needs to be done only once, and not if it has to pay extra in every market it operates in.
The Internet contributes more and more to the economy. Just as setting up trade barriers cause economic harm, so will splintering of the Internet. Data protection is not about data localisation. However, data localisation measures can have an adverse effect on data protection. That insight alone should raise concerns about the outcome of the Personal Data Protection Bill in India. If not, we highly recommend thinking through this scenario from the perspective of a startup.