Time to strengthen Data Localization as more foreign Companies become mercenaries

 

The war in Ukraine may be between Russia and the NATO interests where Ukraine is a willing sacrificial goat. While we can appreciate the resolve of the Ukrainians to join the war directly, the Latvian Parliament approving their citizens in Ukraine to join the fight, some other foreigners to travel to Ukraine and join the war front are worrying trends.

While companies like Twitter have for long been recognized as their own masters trying to engineer regime changes in countries through fake messages, a new trend that has emerged in the current war is that non-media companies in US have also joined the information warfare by “Denial of Access” to certain services which they are bound by contracts. This is an contractual default under International law though they may cite “Act of war” as a reason.

For example companies like Dell and Apple have stopped their hardware supplies to Russia and some of these are defaults of contracts with parties  in other countries. For example if an Indian aggregator had contracted with a Russian company for an IT service in which some components of Dell was involved, he is now forced to default on the service because Dell is unwilling to fulfil its part of the contract.

A demand was made on ICANN to stop its services which was fortunately rejected.

 Now we are told that VISA and Master has stopped its services to Russia. PayPal has also made similar moves.

These private sector companies through their actions have joined the war front in the information sector. They are acting as mercenaries just like the Afghan tribals.

The demand on ICANN is a red flag which makes the Internet system itself less reliable than before. In case companies like GoDaddy or other hosting companies respond to the call of blockage then the Internet blockade of Russia may partially succeed. Russia itself may not be adversely affected since they have a robust internal network and can also connect to the dark web seamlessly.

I would not be surprised that in future Microsoft does not turn in their backdoors to the US Government or Google does not pass on all the access to Gmail content to NATO.

But there are lessons that we in India have to draw from these developments. Indian Government and the population is very much dependent on US companies for many of the critical IT services including the use of Microsoft products and Adobe products.

Without a proper assurance from these companies, it would be difficult for the country to rely on their services in future.

We therefore need to tighten our laws on the one hand to bind the “Critical service providers” to stand neutral at times of such conflict and in the long run become more and more self dependent. This approach to “Atma Nirbhar Bharat” has to be accelerated to avoid India again succumbing to “Colonisation” in the digital global world.

I recently heard one professional suggesting that “Processing” includes storage and hence VISA can continue to store the information abroad without maintaining a copy in India and claim that the “Processing” is not complete. The Government needs to be aware of such innovative interpretations of law to defeat the data protection regulations in India.

In the light of these developments it is necessary for CERT IN to send an advisory that a new Cyber Security threat has arisen where private sector IT companies are joining hybrid warfare and pose a significant threat to Indian companies and Government dependent on their services.

It is therefore necessary for all Indian companies and the Government entities to gradually develop alternate technological support bases to ensure that moves of VISA kind of organizations donot hurt us.

NASSCOM is in the forefront of supporting VISA and MASTER and demanding that no restrictions are placed on localization of their services. RBI has diluted its data transfer rules to allow “Processing” of financial data outside though the processed data must be kept in India.

I request NASSCOM to provide an assurance to the Indian community that MNC s who are their members donot toe the Biden’s policies to the detriment of Indian interests in future.

The Parliament at the same time must restore the Data Localization aspects in DPA 2021 back to the PDPB 2018 version and require that copies of all personal and non personal data transferred outside India must be kept in India and emergency access be made available to the law enforcement authorities under appropriate procedural controls.

The services related to Internet data storage and transmission provided by any company  in India needs to be declared as “Critical Essential Services” with an empowerment for the  Government  to deal with them like other  “Essential Public Services”.

By opting to take part directly in the information warfare, the US based companies have lost their case on opposing strict data localization in India. It has become a “Data Sovereignty” issue more than ever before.

We donot have any objection for any country to join the war transparently like Lativia. However, companies need to always stay non aligned if they want to work in international space. Companies having activities in India have to support the Indian policies and not the policies of a foreign country. This is the same situation that arose when Hyundai supported Pakistan on Kashmir issue. If they donot see reason, the law should take care that they donot turn rogue. Today we are afraid of dependence on Chinese technology because it is a security risk. A similar risk perception has now arisen on companies like VISA, DELL and APPLE.

As an immediate step, I urge that both NASSCOM and CERT IN to issue a joint notification that activities of IT companies stopping any services to Indian companies on pretexts of war in Ukraine would be considered as an “Unfriendly Act” and flagged accordingly. Such companies must be blacklisted or subject to higher standards of compliance in case of any Government contracts in future. It is necessary for NASSCOM members to bee “NON ALIGNED” in the current situations and toe the policy of the Indian Government.

Naavi

(P.S: The views expressed here are personal.)

 

About Vijayashankar Na

Naavi is a veteran Cyber Law specialist in India and is presently working from Bangalore as an Information Assurance Consultant. Pioneered concepts such as ITA 2008 compliance, Naavi is also the founder of Cyber Law College, a virtual Cyber Law Education institution. He now has been focusing on the projects such as Secure Digital India and Cyber Insurance
This entry was posted in Cyber Law. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.