How best to keep data safe (and drive the digital economy)?

All over the world, governments and companies have understood the value of cloud services

No one likes data breaches, ransomware attacks, or identity theft. No country wants its enemies (or friends) sniffing through sensitive databases. None of these things are hypothetical. They have happened. In 2023, Sri Lanka’s Government email network was hit by a ransomware attack that wiped months of data from thousands of email accounts. Because the data from 17 May to 26 August had not been backed up, Government officials who dutifully used the official gov.lk system lost the emails for that period. 

Data are unlike tangible, physical things. There is only one physical thing. Data can exist in multiple locations as copies, making even the concept of “original” meaningless. A thief can take your data but leave you with it too. Or take your data and render your data unusable to you by encrypting it (this is what happens in a ransomware attack). 

People are used to safeguarding tangible, physical things by keeping them in proximate locations, ostensibly under their control. In times of uncertainty, they hide valuables in their homes. During research in Myanmar, we found a curious custom where savings would be hidden inside a bamboo stick supporting the roof.

But in some cases, people use safe deposit lockers at banks because they offer greater protection for tangible valuables than their own homes. This shows that even with tangible, physical things, risks are not necessarily reduced by keeping things close. Proximity does not translate into greater control.

The safe deposit locker has layers of protection: the bank itself; the vault where the lockers are kept; the procedures for letting people enter the vault; and the keys and combinations on the locker. In the case of data, what matters are the layers of protection and provisions made for business continuity through redundancy. Keeping email messages without proper backup within Sri Lanka was less safe than the Gmail services used by most officials who pay no heed to official policy on email use. In Gmail and similar services, the data are kept outside the country (no one knows which country), but the emails are safe.

Data localisation

The idea that data must be safeguarded like physical things underlies South Asian justifications for s. 26 of the Personal Data Protection Act (PDPA), No. 9 of 2022, adapted from European laws and decisions which were intended to disadvantage non-European competitors. The complex language of the Sri Lankan law contains practically insurmountable barriers to “processing” data outside the country by Government entities. Processing is defined very broadly to include “any operation performed on personal data including but not limited to collection, storage, preservation, alteration, retrieval, disclosure, transmission, making available, erasure, destruction of, consultation, alignment, combination, or the carrying out of logical or arithmetical operations on personal data.” 

For a Government entity to process data outside the country, the Data Protection Authority must classify the data in consultation with that entity and the relevant regulatory or statutory body. The Minister must make a complex and resource-intensive adequacy decision on the country where the data are to be processed. In the case of the GDPR, the European data protection law on which the PDPA was modelled, only a handful of mostly high-income countries have been certified as adequate. Argentina with a per capita GDP is $ 12,933 (four times that of Sri Lanka) is possibly the poorest of the countries considered adequate.

Private-sector firms may move data out of the country but are hamstrung by excessively complex procedures and clearances. Large corporates can absorb these costs. In many cases, they have in-house lawyers. But the risks of non-compliance are higher for startups and MSMEs. The costs will be high for them in relation to their overall business costs. They more than the large corporates need SaaS [software as a service] and cloud services. The result will be the discouragement of their use of cheap and effective cloud computing and related services. The Act will hurt the ability of the private sector to be competitive internationally.

India spent several years preparing its data protection legislation. The highly restrictive language on data localisation was dropped in the final legislation. The government retains the power to notify a country as one where data cannot be processed. In addition, the law allows for rules to the imposed by sector regulators such as the Reserve Bank of India. More than a remote Data Protection Authority, a sector regulator knows the practical problems faced by the entities it regulates and the risks they face. 

The untrammelled discretion given to the Minister to notify countries where data cannot be processed by the Indian legislation leaves room for arbitrary actions that can create uncertainty for companies dependent on robust data processing. Despite this weakness, the Indian approach is far superior to the procedures set out in the Sri Lankan legislation. 

Private-sector firms may move data out of the country but are hamstrung by excessively complex procedures and clearances. Large corporates can absorb these costs. In many cases, they have in-house lawyers. But the risks of non-compliance are higher for startups and MSMEs. The costs will be high for them in relation to their overall business costs. They more than the large corporates need SaaS [software as a service] and cloud services. The result will be the discouragement of their use of cheap and effective cloud computing and related services. The Act will hurt the ability of the private sector to be competitive internationally

Cloud First?

All over the world, governments and companies have understood the value of cloud services. In many cases, the official policy is Cloud First. The Sri Lanka Government also has a Cloud First Policy, though it does not appear to have been approved by Cabinet.

The alternative to cloud services is a server located on premises. The maintenance of the server and ensuring that its power supply is reliably backed up is hard enough. The physical security of the room where the server is located has to be assured. Protection from fire, flood, etc. has to be assured. The server room has to be secured against unauthorised entry and logs maintained. Unless the server is air-gapped (physically disconnected from a data network), cyber security must be in place. All these actions are easier in the context of dedicated cloud services where high-quality (and therefore expensive) measures can be justified. Cyber security expertise is among the most valued of skills and is in short supply. 

Cloud services allow for rapid scaling. When additional capacity is needed, there is no need to buy new equipment, new power backups, etc. Just a phone call, or an email will suffice. In the case of the fuel rationing system based on a QR code successfully implemented in 2022-23, it was found that the latency requirements (how long it took to get a response once the QR code was scanned) were best satisfied by a global cloud service, not the Lanka Government Cloud which was on a Tier 3 data centre located within the country. Sri Lanka does not have Tier 4 data centres.

Restrictions on the use of global cloud services such as those found in the PDPA will prevent the use of SaaS [software as a service]. In the US and many other countries, it is possible to outsource analytics services based on the internal data of a company or organisation. For example, a company may wish to test the efficacy of online marketing campaign A versus marketing campaign B (A/B testing). In the old days, this would require an in-house statistician, a testing team and specialised software. Now, in those countries the whole thing can be outsourced to a company that operates on the cloud, using its statisticians, software, etc. These services are particularly valuable to startups and small companies that cannot justify in-house statisticians and rarely-used, expensive software. 

If Sri Lanka is serious about accelerating the digital economy, it has no alternative but to repeal or replace current s. 26 of the PDPA with simpler provisions that will not kneecap the enterprises that are expected to drive the digital economy. What may work for Europe will not work in this small economy.