India and the global battle for data governance
ARINDRAJIT BASU and KARTHIK NACHIAPPAN
OFTEN touted as the new oil or electricity, data is playing a key role in shaping the political, economic and social trajectory of countries. Insights driven through analytics derived from the volume, velocity and variety of big data fuel industry, government and communication in many ways. The governance of data and its free-flow across territorial borders, however, continues to be a sticking point at global fora, with countries looking to unlock economic gains from regulatory efforts both domestically and globally.
Broadly speaking, the debate hinges on an ideological split between two coalitions. On the one hand, the US and the developed world are seeking to maintain the free flow of data across borders with minimal government intervention. On the other hand, emerging economies led by the BRICS countries are focusing increasingly on ‘data sovereignty’ or the sovereign right of all countries to regulate data, as they see fit, without external interference. Galvanizing this discourse is the cry of ‘data colonialism’ or the idea that foreign technology firms (based largely the US) are reaping profits from the data generated by citizens from the Global South, data that should instead be used for improving welfare and public service delivery and furthering economic development.
Through domestic regulatory efforts and outlining international positions, India has indicated a desire to take on a leadership role vis-a-vis global data governance. This article first frames the key global debates on data governance. Next, it analyses the politics and policy behind India’s domestic efforts to regulate data and gauges how India can shape global debates by leveraging both its economic and demographic capacities and burgeoning domestic policy ecosystem.
Cross-border data flows are essential to the growth of digital economies. While states like India look to advance digitization trends, they also seek to protect their digital industries and firms through new data rules, issues that have increasingly acquired strategic importance. These regulatory processes, however, have not gone unchallenged. They are increasingly shaped, influenced and strained by global rules on data, notably free trade agreements, but also through other global rule-making platforms like the G-20 and specific laws certain powerful market powers, like the US, pass which are then used to influence domestic regulatory efforts covering data. In the section below, we look at the different global governance efforts that influence data rules across the world.
To prevent the domestic regulation of data from stymieing cross border trade and economic innovation, certain international organizations, like the World Trade Organization (WTO), have been relying on free trade agreements. For the past decade, trade agreements have entered discussions on data; ironically, trade agreements have renewed the WTO’s focus to look at issues not saturated by conflict as has been the case since the latter’s failure at Doha largely due to developmental issues. Besides the WTO, digital trade and data discussions have become an integral part of negotiations driving different types of free trade agreements, including some mega-regional trade agreements like the Trans-Pacific Partnership (TPP) and the Transatlantic Trade and Investment Partnership (TTIP).
Most WTO agreements covering issues like goods and services are the result of the Uruguay Round Trade Agreement in 1994; but these rules and those that followed under the WTO’s remit did not keep pace with the rise of the internet which has, since then, revolutionized economic activity. Despite claims that WTO principles, like the Most-Favoured Nation and National Treatment, and existing mechanisms, like dispute procedures, subsidies and trade facilitation, were adequate for this transcendent cyber shift, it was clear that more specific rules and provisions were necessary to adjudicate, for instance, whether certain digital activities, like apps or related online activities, were a ‘good’ or a ‘service’.
Classification proves critical given existing rules, like the General Agreement on Trade in Services (GATS) that govern that particular activity. For instance, slotting online platforms and services under the GATS will require compliance with the core National Treatment provision. This will diminish national control over digital industries since countries will have to provide equal access to foreign services suppliers, treating them like domestic firms which will likely be resisted given the growing importance of digital trade and the internet to economic growth.
Broadly, the consideration of digital trade, even data, has lagged at the WTO given the organization’s pronounced inability to use existing rules like GATS to sort out issues pertaining to online commerce despite the creation of the WTO Work Programme on E-Commerce. The patent inadequacy of the WTO to multilaterally resolve questions surrounding data and digital trade have compelled countries to pass measures under the guise of ‘localization’ (forced storage or processing of data within national borders) that inhibit digital trade.
These localization rules generally favour domestic over foreign firms given the nature of obligations, particularly when it comes to data, that foreign firms must follow. Though WTO rules can discuss and resolve these matters under the rubric of digital trade, including data, the desire to move along these lines has not been forthcoming given long-standing political difficulties and little appetite from key countries like the US and EU. With the Doha round largely on life support, multilateral rule-making on digital issues has shifted from the WTO to other avenues – bilateral, regional and plurilateral.
Key economic powers like the European Union and the United States are now using trade agreements and domestic rules to export digital standards, some covering data protection and flows, to ensure their companies have sufficient access across markets and sufficient exemptions from local digital rules. The United States has been prolific at using the Free Trade Agreement (FTA) route to enact its ‘digital agenda’; in fact, the US has reached free trade agreements with several countries that include WTO-plus provisions vis-a-vis digital trade, regulating issues like e-commerce, cross-border supply of services, protection of intellectual property rights and cooperation on ICTs.
Unlike the US, the EU has moved gingerly on using FTA’s to manage digital trade issues, particularly data. The EU has sought robust commitments from its FTA partners like Canada, on data, expecting those keen to trade with the EU to internalize robust international standards on data protection. Besides bilateral FTAs, there has been a clear impetus to cover digital issues and data under mega-regional trade agreements – Transatlantic Trade and Investment Partnership (TTIP) between the EU and the US and the Trans-Pacific Partnership (TPP) between US and 11 Asia-Pacific countries. The TPP, which the US withdrew from after Trump’s election, explicitly barred the use of data localization requirements while TTIP’s discussions on data have been constrained by the EU’s GDPR, which has a strong data protection standard.
Finally, the G-20, under Japan’s leadership in 2019, entered global data discussions to generate consensus amongst countries that have different positions and stakes on how countries should draft and manage data policies such that it does not hinder trade and investment. At the G-20, Japanese PM Shinzo Abe formally declared the launch of the ‘Osaka track’ as a framework that advances the cause of cross-border data flows with sufficient protection. The core concept driving the framework was ‘data free flow with trust’ that called for a set of international rules which would enable the free movement of data across borders embedded with provisions that protect personal information, intellectual property and cyber security. Abe’s initiative struck a chord amongst most countries present, especially the notion that supporting the growth of digital economies requires a reliable set of rules that hinge on data flows.
Though most countries, including the US, endorsed Abe’s plan, the initiative did not pass muster with some vital Asian countries with booming digital economies including India who reserved judgment. Hurdles and divisions remain. The European Union feared whether the US and Japan were going to sacrifice privacy considerations at the altar of digital innovation while China, Russia and India demurred for other reasons. G-20 is not likely to find common ground on the issue of data flows. This fragmented global data landscape compels us to map what key actors like India are doing on the domestic policy front, as domestic developments are increasingly likely to shape the global regulatory agenda.
The past couple of years have seen the release of a number of policy interventions on data governance by various government ministries and departments in India. While connected by the common ‘data sovereignty’ vision or using data for pursuing economic development and empowering vulnerable communities, there are several inconsistencies and loopholes in these policies.
The first major policy move on data localization started with a notification from the Reserve Bank of India in April 2018 compelling the storage and processing of all payments data in India. WhatsApp, Google Pay and Mastercard, along with a number of foreign companies are prioritizing compliance with this directive to retain their position in India’s burgeoning payments sector. The RBI directive was followed by several notifications mandating various forms of data localization across a variety of sectors including health care, e-commerce, and insurance.
The most sweeping of these was a draft of the August 2018 Personal Data Protection Bill. The draft bill contained a mirroring provision, which mandated that a copy of all personal data be stored in India. It also contained a provision restricting cross border transfers for all data that the government notified as ‘critical personal data’.
While the Srikrishna Committee, which authored the draft bill, specified a number of reasons justifying this measure in its accompanying report, two in particular stood out. First is the long-winded process that Indian law enforcement agencies must go through to access data stored in the US. Indian law enforcement authorities have recognized this gap as a major fetter to running criminal investigations. Second, data localization could enable Indian companies that want to use data driven decision making tools to access and use data for their economic benefit.
Unsurprisingly, large Indian technology companies – Reliance, Paytm and PhonePe – already have data centres in India or can pay for their data to be stored in a local data centre. Large Chinese companies – Alibaba and Xilinx – have also taken pro-localization stances possibly because they too have data centres set up in India.
But this move toward data localization was vocally opposed by several US tech companies who abhorred the move. Facebook Public Policy Vice President Nick Clegg and Google CEO Sundar Pichai, along with lobbying groups such as the US-India Strategic Partnership Forum (USISPF), US-India Business Council (USIBC) and National Association of Software and Service Companies (NASSCOM) made several trips to New Delhi to bring home that message.
The industry-driven lobbying worked in tandem with the US government, as data localization became an increasingly vital part of the agenda in bilateral trade talks. In fact, Secretary of State Mike Pompeo reportedly contemplated limiting the number of H1B visas granted to Indian citizens if the localization provisions were not relaxed. President Trump himself made a public statement explicitly denouncing data localization at the G20 Osaka Summit. However, lobbying by the US and western government officials and the tech industry appears to have worked. When IT Minister Ravi Shankar Prasad introduced a revised version of the bill in December 2019, the mirroring provision was gone.
In its new form, the bill only requires the storage of ‘sensitive personal data’ in Indian territory, a subset of what was required under the mirroring provision. Sensitive personal data can be transferred abroad for processing if certain conditions are fulfilled. First, explicit consent must be obtained from the data user (called ‘data principal’). Second, the transfer must be in pursuance of a contract or an intra-group scheme that safeguards user rights and plants liability on the data processor.
As an alternative, ‘sensitive personal data’ may be transferred abroad on a case-by-case basis if the data is accorded equivalent protection in that jurisdiction. Further, Indian law enforcement authorities must be granted access to the data if they need it for conducting criminal investigations. Like the previous version of the bill, the Indian government retains the power to notify any data as ‘critical personal data’, which must be stored and processed only in India.
Enabling the use of non-personal data for public service delivery meshes with India’s policy objective of data for development. However, these efforts are often incoherent. For example, the Data Protection Bill defines non-personal data unhelpfully as ‘anything that is not personal data’, while providing the government the right to access both non-personal data and ‘anonymized personal data’ when it deems fit, although these two categories should be treated differently.
Further, various government entities follow varying conceptions of non-personal data. The draft e-commerce policy released in March 2019 by the Department for Promotion of Industry and Internal Trade (DPIIT) under the Ministry of Commerce (MOC) looks at non-personal data and anonymized personal data as ‘community data’, seemingly indicating that all Indians should benefit from data generated by each other. Chapter 4 of the Economic Survey of 2019 released by the Finance Ministry states that any data held by the government should be utilized for the ‘public good’ while strangely allowing private actors to bid for this data and use it for data-driven decision making.
A committee set up by the Ministry of Electronics and Information Technology (MEITY) was established to clarify the governance of ‘non-personal data’ but their report is yet to be released, thereby compounding the policy uncertainty. Given the public views of the members of this committee, it will likely prioritize state sovereignty over corporate ownership or individual control whenever the report is finally released.
India has significantly ramped up its engagement with global data debates this past year. India’s positions have been an extension of their domestic policy ambitions, embracing ‘data sovereignty’, countering ‘data colonialism’ and retaining publicly generated data to aid state power particularly when it comes to public service delivery and welfare provision. India will likely push for global data rules that advances and shields the role of the state.
At the G20 Summit in Osaka last year, India, alongside BRICS countries underscored the critical role that data plays in the development of emerging economies, and did not sign the Osaka Declaration on Digital Economy that was the trigger for the ‘Osaka Track’ discussions. Foreign Secretary Vijay Gokhale reiterated that global rule-making on data transfers must not take place in plurilateral forums outside the WTO as doing so would reduce the say emerging economies could have in shaping the debates.
Since then, however, India appears to have softened its position given shifting interests. For example, while India’s decision to opt out of the Regional Comprehensive Economic Partnership (RCEP) was driven by reasons other than data localization, disagreements on cross-border data flows occupied centre stage. At the Bangkok negotiation rounds in October 2019, India blocked both the financial services agreement and the e-commerce chapter because acquiescing to these rules would interfere with its ‘essential security interest and national interests.’ However, within ten days, reports indicated India moved away from its initial hardline stance and allowed the passage of the e-commerce chapter with exceptions provided for ‘essential security interests’ and ‘legitimate public policy objectives.’
This flexibility on data localization was underscored through the revised Personal Data Protection Bill, discussed above, where the data localization provision was diluted significantly. It will be interesting to see how India approaches the data debate in upcoming bilateral engagements, most significantly as it negotiates a Free Trade Agreement (FTA) with the European Union.
Ultimately, robust global engagement on questions related to data will be difficult in the absence of settled domestic policy. The slew of incoherent and seemingly schizophrenic domestic policies diminishes the value of India’s ‘data sovereignty’ message abroad. A better coordinated approach that resolves conflicts and uncertainty generated by piecemeal approaches adopted by several ministries is the need of the hour. International rules that embody and advance data sovereignty cannot eschew or compromise the individual sovereignty of Indian citizens.