Local storage requirements should be “as narrowly tailored as possible” to minimise its “downsides” and optimise for some very specific legitimate requirements, a top executive from Google said.
Speaking virtually at a select media gathering on Wednesday, Google’s chief privacy officer, Keith Enright said that in his experience, data localisation requirements do not typically aid some of the key areas it aims to serve, for instance, economic benefits, preventing access to data by another government or bad actors, and making data available for law enforcement agencies.
Google is not the only one that seems to have reservations about local storage requirements, a key part of India’s proposed data protection framework. Under India’s data protection bill, which is still under consideration, big tech companies are mandated to store a copy of certain sensitive personal data within India and the export of undefined “critical” personal data from the country is prohibited. Last month, Facebook parent Meta’s VP and deputy chief privacy officer Rob Sherman said that the requirement could make it “difficult” for the company to provide its services in the country.
🚨 Limited Time Offer | Express Premium with ad-lite for just Rs 2/ day 👉🏽 Click here to subscribe 🚨
Responding to a question by The Indian Express on the data localisation norms proposed in the country’s draft data protection bill, Enright said governments are batting for local storage requirements to protect data they deem sensitive, prevent access from other governments or bad actors, guarantee access for local law enforcement agencies, and with the hope that such locally stored data will have certain economic benefits. “None of those areas has actually been materially advanced by data localisation requirements. The massively parallelised nature of the web, the way that the cloud has evolved was optimised for security, availability, and efficiency. Data localisation retreats from any of those benefits and it risks fracturing a globally distributed cloud,” Enright said.
“Many aspects of the Internet that people have not come to expect, enjoy and rely upon require the data movement across international jurisdictional boundaries to operate reliably. We need to get together as a global privacy community to ensure that we can provide strong privacy protections and clear rules such that products and services can be operated like people expect,” Enright said. “Now this is getting increasingly challenging because we are seeing privacy and data protection laws develop and proliferate all over the world. While there are certainly some common themes across these, given the velocity and frequency of legislative activity around data protection, we are facing a growing risk of divergent regulation that cannot be rendered consistent which can make compliance for a global company extraordinarily challenging.”
In response to another question by The Indian Express on the IT Ministry’s recent proposal to “encourage” big tech companies to share non personal or anonymised data with a government appointed committee for sharing with the country’s startups, Enright urged that governments around the world should be “cautious” since the space is still evolving.
“When we are talking about steps to be taken to make tools and resources available to startups in India to innovate, our interests couldn’t be more aligned. Google benefits if more people are using the internet. To the specific question around making large anonymous datasets available to fuel innovation, I think it is complicated due to uncertainty and inconsistency over time around the understanding of what is persistently anonymous data and how do you make those data sets available in a way that is secure and private,” Enright said. “I urge caution, before governments anywhere in the world issue broad mandates requiring the data be shared in any particular form, simply because our understanding of the safety and security of sharing different kinds of data in different ways is evolving.”