Welcome back to Legitimately Interested, my fortnightly newsletter on data protection and privacy!
[Before we get into it, the content of this newsletter will always be free. But, if you would like to support my work, consider taking a paid subscription? If you don’t want to commit to one, I also welcome one time contributions here].
Firstly, I am sorry for missing last week’s issue! There are just some weeks where it’s not possible to fit all my projects in - but I’m back with Issue #5, where we’re talking about data localisation and why regulators and policymakers may be misplacing focus on where data goes. However, please accept this picture of my cat as an apology, dear readers:
Issue in Focus
Like the Beatles song, data protection regulators have been saying ‘all you need is data localisation’ for a long time now. In India as well, a subject of multiple debates during the course of the many drafts of the data protection law revolved around not doing enough to keep ‘sensitive’ or ‘critical’ data in India, which was also initially recommended by the BN Srikrishna Committee.
The focus on data localisation, means that the subject of cross border transfers is always in the news when it comes to data protection and privacy. Just earlier this month, the ASEAN and EU blocs came to an agreement and issued a guide on data transfers within their regions, which includes a lot of the usual suspects when it comes to compliance - maintaining data transfer registers, using standard contractual clauses, conducting transfer impact assessments, etc. To take a step back from more recent developments, cross border transfers came into renewed focus after the Schrems II judgment which invalidated the EU-US Privacy Shield, introducing the requirement for ‘supplementary measures’ including impact assessments if data was to be transferred to any country which doesn’t have an adequacy decision from the EU (i.e, the EU doesn’t consider that country safe to transfer data to). However, there are criticisms of this approach, considering that EU member states themselves have wide surveillance laws. Read Siddharth Sonkar’s post on this, and this interesting take from Prof. David Erdos as well.
India has flip flopped on this a fair bit, changing the approach to 'blacklisting' countries for cross border data transfers (allowing transfers by default) rather than the 'whitelisting' countries (allowing transfers only after safe countries are notified). Most commentary on this is from the lens of how this will ease compliance, since it can be business as usual until notification of a blacklisted country. [This article traces the legislative position over the years in detail].
But rather than the measures or provisions themselves, my issue is on this continued regulatory focus on data localization/international data transfers/data sovereignty. Of course, safeguards for cross border transfers are not a bad thing by themselves. But, very tellingly, most of my recent interactions with the broader, global data protection community reflect the same concern - regulators and companies are spending a ton of time on the question of international data transfers, with honestly, no clear road to compliance or what to actually do about it. In fact, my discussions with data protection experts have revealed that a lot of international data transfers remain in status quo, since navigating the increasingly messy patchwork of compliance requirements is incredibly confusing, and costly.
A quote from a former Information Commissioner in the ICO made last year, UK drives this home - "[disproportionate focus on international data transfers] takes [regulators] eyes off the ball from other issues that are incredibly important - children’s privacy, the tsunami of online fraud etc. The complaints that came to ICO were not about transborder data flows, but about real world worries."
So why does the issue of data localisation and transfers (either easing or tightening them) dominate regulatory discussions and priorities? The issue of data sovereignty took center stage with the increased usage of cloud based data storage and business models, and massive revenue potential with cross border data flows. At the same time, this raised concerns on surveillance by other governments, and security issues if local law enforcement did not have access to data. This also led to arguments that encouraging data storage within borders would be of economic benefit - since it would encourage local innovation.
However, exhaustive studies on the subject have shown that even when evaluating all the arguments, the costs of localisation tend to outweigh its benefits - while common sense safeguards for personal data leaving a country’s borders are desirable, restrictive policies may only end up impeding trade. There are also questions it raises with respect to its inherent conflict between the keeping data within certain borders and undermining the ‘opennness’ of the internet and people exercising autonomy over data - the Centre for Information Policy Leadership argues that restrictive localisation policies can also lead to significant real life harms.
All this said, it’s really crucial to take this one step further. Data localisation is often posed as a panacea to other issues, with governments claiming that the increased security within borders is the solution to a variety of different harms. But this is not always the case - and it doesn’t end up solving actual information security measures, aspects of cybercrime, online abuse, trust and safety and usage of personal data for behavioural manipulation, or even surveillance. The point here, is that simply storing data in a specific location does not inherently lead to its safety, and does not encourage a second level of inquiry into how to actually protect privacy and prevent data misuse.
As very aptly put in this article (which is part of an insightful broader blog series on forced localisation), ‘While often well intentioned, data localization measures are shortsighted, difficult to implement and hardly a foolproof way to address modern privacy concerns. A more effective approach is to adopt regulatory measures that directly respond to the specific problem of protecting privacy.’ And this gets more dangerous when we consider that not all localisation policies are well intentioned - there are arguments that the focus on such policies is a method of creating moral panic among citizens of a certain territory and feeding into geopolitical tensions.
To sum up, my own opinion is that we have much more pressing issues to contemplate, like real damage caused by fraud, dark patterns & predatory algorithms and privacy by design among several other burning topics especially in a country like India, where there once there is staggering innovation and on the other hand, people are getting their hands on smartphones and prolonged internet usage for the first time. I’m also reminded of the heartbreaking scenes from the recent US Senate hearing on child safety, where parents confronted tech CEOs whom they held responsible for the death or abuse caused to their children online. Clearly, the fact that that data may be prevented from exiting borders does not guarantee how it is used. Elon Musk’s Neuralink successfully implanting a brain chip in an individual has also led to renewed focus on the debates surrounding the boundaries of mental privacy as it relates to newer forms of neurotechnology.
The seemingly disproportionate focus on where data stays and goes results in a net loss for individual privacy as well as meaningful regulation on focused access to data for productive purposes, and we really need to think about whether this is the most important piece of the data privacy puzzle. I’d love to hear different opinions on this, since it’s a continually evolving debate and topic. Please write in!
Privacy Roundup
Criticism in India by Parliamentary Panel, over delay in notifying data protection roles, some reports say that the current government may not have enough time to notify these rules prior to the 2024 General Election
European Court of Justice rules against law enforcement agencies indefinitely storing biometric information
UK ICO issues warning on cookie compliance
New York State takes action against Citibank for failure to compensate those affected by electronic fraud and data breach
Netherlands DPA fines Uber for privacy violations
ASEAN issues multipurpose AI Governance guide
Read this interesting article on the latest data protection and cybersecurity developments in China, and IAPP notes on the APAC region from February 2024
Watch Robert Bateman’s super interesting Privacy Corner updates this week
That’s a wrap on issue 5! Feel free to reach out to me on LinkedIn for suggestions on topics which I could cover, or contact me at the coordinates on my website.