Data sovereignty of India: A look at the bilateral ties and Law enforcement

Sovereignty of countries is considered as their right and the supreme authority to govern themselves. We proudly refer India as a Sovereign state, since her independence, and enjoy the self-governing status in the international political arena. However, when “Data” as an adjective gets preceded to it, we are taken forward to a complete new mechanism which may be perceived as much more complex but yet much more relevant to the modern times. A simple example of international trade involving consumers, cannot take place without collecting and sending personal data across borders-such as names, addresses, billing information etc. For ensuring its privacy and protection from cyber breach, Data sovereignty comes into play. With this, an organization’s data gets stored in a host country and is subjected to the laws of the country in which the data originated or the data subject is a citizen of. In maximum cases it is subjected to the jurisdiction of more than one country depending on the path of the data. Businesses often choose to store data overseas; It makes doing business easier, costs less and ensures that data is backed up and stored safely and with minimum difficulty. For example, a local service provider may be a branch office of a company based elsewhere. If head office handles all the billing, the data is sent and stored overseas which can include all kinds of information including credit card details, health records, personal information and financial records.

Depending on the type of data, some files can be stored anywhere in the world without any confidential concerns. Cloud Service providers across the world are a major reason to enforce a data sovereignty law. With the rapid spread of cloud computing and the growth of cyber spaces, large masses of information are easily transmitted transnationally. This necessitates the ratification of new agreements and cooperation efforts amongst states in order to secure the cyber network and regulate the exchange of information.

India’s stand on Data Localization

Data localization law requires the data related to a nation’s citizens or residents to be collected, processed, and stored inside the country, before being transferred internationally. It can only be transferred after meeting the local privacy or data protection laws by giving the users notice on how the information will be used and obtaining their consent for the same. Despite the significant benefits to companies, consumers, and national economies that arise from the ability of organizations to easily share data across borders, many countries, irrespective of their development phase, have erected barriers to cross-border data flows, such as data-residency requirements that confine data within a country’s borders.

India’s Ministry of Communications and Technology enacted data transfer requirements as part of a 2011 change to The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules. These rules limit the transfer of “sensitive personal data or information” abroad to only two restrictive cases — when “necessary” or when the subject consents to the transfer abroad. It is difficult to establish that a transfer data abroad is “necessary”, hence this provision would effectively ban transfers abroad except when an individual gives consent. The ministry clarified that these rules only apply to companies gathering data on Indians and only when the company is located in India. Other than these privacy rules, India has some more significant provisions which are highlighted below-

• In 2012, India enacted a “National Data Sharing and Accessibility Policy,” which effectively means that government data must be stored in local data centres.
• In February 2014, the Indian National Security Council proposed a policy that would institute data localization by requiring all email providers to set up local servers for their India operations and mandating that all data related to communication between two users in India should remain within the country.
• In 2014, India’s enacted the Companies (Accounts) Rules law that required backups of financial information, if primarily stored overseas, to be stored in India.
• In 2015, India’s Department of Electronics and Information Technology issued guidelines that cloud providers seeking accreditation for government contracts would have to require them to store all data in India.

India’s recent Bilateral Agreements on Cyber Security

India’s major bilateral agreements happen in the form of Memorandum of Understandings (MoUs) signed by the Indian Computer Emergency Response Team (CERT-In) under the Ministry of Electronics and Information Technology with its counterparts in other countries to extend support and mutual cooperation. When the cyber agreements or policies are formed, the issue of data sovereignty gets in-built and countries are reaching a level of cooperation to achieve successful data localization without any abrupt restriction on data flow. Few important MoUs have been mentioned in the following in a reverse chronological order-

2017

1. India signed a Memorandum of Understanding Department of Homeland Security, Government of the United States of America on cooperation in the field of cyber Security. The MoU intends to promote closer co-operation and the exchange of information pertaining to the Cyber Security in accordance with the relevant laws, rules and regulations of each economy on the basis of equality, reciprocity and mutual benefit. Since, 2011, regular interactions between CERT-In and US CERT are taking place to share the information and discuss cyber security related issues.
2. India signed an MoU with Bangladesh Cyber Emergency Response Team (BD CERT) for improving Cyber security between the two countries.
3. A recent visit of Prime Minister Narendra Modi to Berlin, marked the agreement of cooperation through the German-Indian Cooperation on Cyber Policy and commitment to work along with the UN Group of Governmental Experts in the Field of Information and Telecommunications in the Context of International Security.

2016

1. India’s Global Cyber Security Index (GCI) is 0.683 for 2017 with global rank being 23rd. Singapore is the leading nation with an outstanding approach for ensuring Cyber security with GCI of 0.925. Singapore and India are focusing on the establishment of a formal framework for professional dialogue, CERT-In and SingCERT related cooperation for operational readiness and response, collaboration on cyber security technology and research related to smart technologies, exchange of best practices, and professional exchanges of human resource development.
2. Another Memorandum of Understanding (MoU) between India and Vietnam in the field of Cyber Security intends to promote closer cooperation for exchange of knowledge and experience in detection, resolution and prevention of cyber security-related incidents between the two countries.
3. CERT-In agreed with the UK Ministry of Cabinet Office to promote close cooperation between both countries in the exchange in knowledge and experience in detection, resolution and prevention of security related incidents.
4. A protocol on technical cooperation in cyber space and combating cybercrime was signed between the Ministry of Home Affairs of India and the Ministry of Interior of Qatar. The protocol adds an important dimension of bilateral technical cooperation in cyberspace and combating cybercrime to the existing framework agreement in the field of security signed in November 2008.

2015

1. During an official visit of Home Minister Rajnath Singh to Beijing from 18 to 23 November 2015, China and India agreed to set up a mechanism at the Home Minster Level, to strengthen collaboration on, among other things, cybercrime. The mechanism will be complemented by exchange visits by experts in related fields and the strengthening of exchange and collaboration where law enforcement capacity building is concerned.
2. India’s Prime Minister Narendra Modi and his Russian counterpart announced their decision to step up bilateral cooperation in the field of ICTs included cooperation among relevant agencies and an intention to work towards a “Russian-Indian intergovernmental agreement on cooperation in the field of international information security. It again received an impetus in the 2016 BRICS Summit.

Strategies of developed countries to ensure cyber security

(This compiled data has been derived from the 2017 report on “Securing the nation’s cyberspace”, made by ASSOCHAM India and PWC)

India can learn a lot from these countries in terms of policy focus and implementation strategies especially activities like bug bounty programmes and empowering the ethical hackers in India to compete on a global front. The issue of cybercrime has become a pressing concern for every nation in recent years as the exploitation is taking place in borderless nature of the internet and circumventing the national legal agencies. This makes data sovereignty as a pre-requisite for information security. What is important to note is that outdated laws and regulations, weak enforcement mechanisms for protecting information on a network, create an inhospitable environment for government data and e-business. If our laws and regulations are moving in the right direction then welcoming innovative ideas for counter cyber attacks and a quicker implementation and adherence to the signed agreements on cyber security become the next necessary step to move towards achieving a virtually secured state.

Originally published at The Dialogue.