“Over the past year, the Indian government has drafted and introduced multiple policy instruments which dictate that certain types of data must be stored in servers located physically within the territory of India. These localization gambits have triggered virulent debate among corporations, civil society actors, foreign stakeholders, business guilds, politicians, and governments” – The Internet Society of India.
The vision outlined by the Government of India for establishing digital data sovereignty is approaching its final stages. This implies the practice of storing and securing data, ensuring its residency aligns with regulations. This also involves confining the geographic location where citizens’ data is stored and processed within the governing laws of the country.
Challenges with Public Cloud Providers on Data Sovereignty
Cloud migration in India is growing rapidly, but there are critical challenges that need to be re-examined by various governments and enterprises-
- Legal and Regulatory Compliance: Public cloud providers often operate across various jurisdictions, making it challenging to ensure compliance with diverse and evolving data protection and privacy regulations in different regions.
- Data Localisation Concerns: Countries, including India, are moving towards implementing strict regulations that mandate certain data to reside within their borders. Public cloud services may encounter challenges in meeting these residency requirements, potentially resulting in legal and regulatory issues.
- Security and Privacy Risks: Entrusting sensitive data to third-party public cloud providers may raise security and privacy concerns. Organisations must carefully assess the provider’s security measures and data handling practices.
- Limited Control: Users of public cloud services may have limited control over the physical location of their data and the infrastructure supporting it. This lack of control can be a barrier for organisations with specific data residency or sovereignty requirements.
- Data Access and Retrieval Challenges: Depending on the location of the public cloud data center, there may be challenges related to data access speed and latency, impacting performance for users located in different regions.
- Vendor Lock-In: Organisations may face challenges if they decide to switch cloud providers due to contractual and technical complexities. This can result in dependencies on a specific provider, limiting flexibility.
- Inconsistent Security Standards: Different public cloud providers may have varying security standards and practices, making it difficult for organisations to maintain a consistent level of security and compliance across multiple cloud environments.
- Political and Geopolitical Risks: Changes in political or geopolitical landscapes can impact the regulatory environment and potentially affect the data sovereignty landscape, adding uncertainty for organisations relying on public cloud services.
Navigating Regulatory Landscapes
To adhere to this approach, India currently has existing policies that address localisation requirements based on the type of data, particularly in sectors such as banking, telecom, and health. These include:
- RBI Notification on ‘Storage of Payment System Data’, the FDI Policy 2017
- The Unified Access License, and the Companies Act, 2013 and its Rules
- The IRDAI (Outsourcing of Activities by Indian Insurers) Regulations, 2017
- National M2M Roadmap
- Digital Personal Data Protection (DPDP) Act, 2023
- MEITY – Cloud Policy
These policies largely covered the key components such as enabling innovation, improvement in cyber security and data locational and enhancing national security, protecting against foreign surveillance, and defining strategy towards data sovereignty and localisation. And, considering the Geo-political challenges which the country faces, data localisation and sovereignty are going to be a critical component for policymakers.
The Ministry of Electronics and Information Technology (MeitY) has already established the National Government Cloud with empanelled service providers to ensure that sensitive data, including government and defense-related information, is stored locally. This initiative is to be considered as the initial step toward data localisation.
Some international examples of data and consumer protection rules include The US CLOUD Act (2028) China’s Cyber Security Act (2017) and the famous UK and EU GDPR (2018). There are a few industry-specific laws that cover the data localisation principles such as HIPAA, PCI DSS, BaFin, FISMA, GAIA-X, EBA, etc.
Need of Sovereign Cloud Framework
To overcome the globally dominated digital transformation strategies and to ensure data sovereignty and security, the innovation and development of sovereign cloud frameworks become a critical aspect of national technological strategies.
This technology framework should have the capability to provide:
- Data Localisation
- Government Compliances
- Customisation Capabilities
Summary
In summary, to align with the national vision, Government and Private organisations should adopt the Data Location Approach in the cloud computing ecosystem to safeguard critical national data which will serve as a key enabler for economic growth and innovation. Yotta, as a cloud service provider, aligns with this vision by offering cloud services to the government and enterprises. These services are developed in India, hosted in India, and adhere to data location and sovereignty principles.
