Data sovereignty is on the rise across the world. Laws and regulations increasingly require that citizen data be stored in local data centers, and often restricts movement of that data outside of a country’s borders. The European Union’s GDPR policy is one example, although it’s relatively porous. China’s relatively new cloud computing law is much more strict, and forced Apple to turn over its Chinese-citizen iCloud data to local providers and Amazon to sell off data center assets in the country.
Now, it appears that India will join this policy movement. According to Aditya Kalra in Reuters, an influential cloud policy panel has recommended that India mandate data localization in the country, for investigative and national security reasons, in a draft report set to be released later this year. That panel is headed by well-known local entrepreneur Kris Gopalakrishnan, who founded Infosys, the IT giant.
That report would match other policy statements from the Indian political establishment in recent months. The government’s draft National Digital Communications Policy this year said that data sovereignty is a top mission for the country. The report called for the government by 2022 to “Establish a comprehensive data protection regime for digital communications that safeguards the privacy, autonomy and choice of individuals and facilitates India’s effective participation in the global digital economy.”
It’s that last line that is increasingly the objective of governments around the world. While privacy and security are certainly top priorities, governments now recognize that the economics of data are going to be crucial for future innovation and growth. Maintaining local control of data — through whatever means necessary — ensures that cloud providers and other services have to spend locally, even in a global digital economy.
India is both a crucial and an ironic manifestation of this pattern. It is crucial because of the size of its economy: public cloud revenues in the country are expected to hit $2.5 billion this year, according to Gartner’s estimates, an annual growth rate of 37.5%. It is ironic because much of the historical success of India’s IT industry has been its ability to offer offshoring and data IT services across borders.
India is certainly no stranger to localization demands. In areas as diverse as education and ecommerce, the country maintains strict rules around local ownership and investment. While those rules have been opening up slowly since the 1990s, the explosion of interest in cloud computing has made the gap in regulations around cloud much more apparent.
If the draft report and its various recommendations become law in India, it would have significant effects on public cloud providers like Microsoft, Google, Amazon, and Alibaba, all of whom have cloud operations in the country. In order to comply with the regulations, they would almost certainly have to expend significant resources to build additional data centers locally, and also enforce data governance mechanisms to ensure that data didn’t flow from a domestic to a foreign data center accidentally or programmatically.
I’ve written before that these data sovereignty regulations ultimately benefit the largest service providers, since they’re the only ones with the scale to be able to competently handle the thicket of constantly changing regulations that govern this space.
In the India case though, the expense may well be warranted. Given the phenomenal growth of the Indian cloud IT sector, it’s highly likely that the major cloud providers are already planning a massive expansion to handle the increasing storage and computing loads required by local customers. Depending on how simple the regulations are written, there may well be limited cost to the rules.
One question will involve what level of foreign ownership will be allowed for public cloud providers. Given that several foreign companies already exist in the marketplace, it might be hard to completely eliminate them entirely in favor of local competitors. Yet, the large providers will have their work cut out for them to ensure the market stays open to all.
The real costs though would be borne by other companies, such as startups who rely on customer datasets to power artificial intelligence. Can Indian datasets be used to train an AI model that is used globally? Will the economics be required to stay local, or will the regulations be robust enough to handle global startup innovation? It would be a shame if the very law designed to encourage growth in the IT sector was the one that put a dampener on it.
India’s chief objective is to ensure that Indian data benefits Indian citizens. That’s a laudable goal on the surface, but deeply complicated when it comes time to write these sorts of regulations. Ultimately, consumers should have the right to park their data wherever they want — with a local provider or a foreign one. Data portability should be key to data sovereignty, since it is consumers who will drive innovation through their demand for best-in-class services.