India’s data protection landscape

A fierce battle is brewing over India’s data policy – the Personal data protection bill. It is shaping up to be a clash where priorities related to innovation, jobs and development clash with security, access and control. The politics around India’s data policy has clear global, national and sub-national dimensions. New Delhi must adroitly manage pulls from these directions to enact a data protection law that gives citizens adequate protections vis-a-vis data use and transfer and businesses, foreign and domestic, the space to deploy data to service customers and create new jobs and services. New rules will also have to straddle security concerns since government agencies would prefer reliable access to data. These competing pressures will affect India’s data protection law. How prevailing trade-offs around data flows get resolved will shed light on what values drive India’s approach toward technology issues.

There is scant global coordination on establishing robust standards on data flows. The absence of norms around which domestic data rules can be crafted has generated uncertainty. There appears to be little progress on the normative front. At the 2019 G20, Host Japan introduced a ‘Data Free Flow with Trust’ (DFFT) system to facilitate free flow of data under acceptable global rules; but Japanese initiative was hamstrung by differences between industrialized countries, with Japan and US on one side, and emerging countries like China, India, Brazil and Russia. Emerging countries endorsed data localization while OECD states preferred data flows with some constraints. This gulf could constrain future multilateral discussions on data governance. The establishment of a globally relevant data standard facilitates certainty – allowing countries to provide the same degree of data protection and privacy to their citizens and businesses the space to streamline business operations.

Given fault lines, international organizations are under pressure to develop robust data standards. Calls have now increased for the WTO to place digital flows under its Integrated Trade Intelligence Portal which compiles information on how countries manage their trade policy. Though WTO rules bar measures, like data protections, constraining trade, exceptions exist within the General Agreement on Trade in Services (GATS) for various domestic policies that do not comport with GATS provisions. Some technology companies are pushing the United States to use the WTO to challenge China’s controversial data laws where data flows are used for censorship and surveillance. In fact, China has used exceptions in the GATS agreement to defend its data management approach claiming those measures are “necessary to protect public morals and to maintain public order.” Surprisingly, the World Bank has advocated for developing countries to establish data processing centres that could boost the creation of IT-based industries. Going ahead, the Bank will advise more on how data fits into national business indicators, highlighting policy and regulatory issues around the digital economy.

Multilaterally, two issues with respect to data governance must be addressed – which regime should draft global data rules and what principles should influence rules, those that support data flows, with some constraint, or not. How this process plays out will impact India’s own data policy given the importance of the digital economy to global commerce.

The absence of a global Internet protocol has generated territorial claims on data protection. Countries are trying to exert some control over data flows. The policy approaches of three key jurisdictions – US, EU and China matter since their standards shape the laws of countries they trade with. Market power drives regulatory harmonization and compliance. Currently, the United States does not have a federal law on data protection. Instead, Washington relies on a ‘sectoral’ data protection approach through a combination of legislations, regulations and self-regulation. The approach places considerable onus on businesses to front data protection. In addition, states like California, Ohio and Tennessee are crafting their own privacy laws given public demand. Protections, particularly that of citizen privacy, vis-a-vis data use, consumption and transfer underpin the EU’s privacy law – the General Data Protection Regulation (GDPR). China’s cybersecurity law requires data providers or ‘network operators’ to hold data collected within China inside its territory.

India’s bill prioritizing innovation, security and protection contains provisions that exist in the approaches adopted by the US, EU and China. India’s bill incorporated certain aspects of GDPR, particularly provisions strengthening protections for data use and stipulating what companies can do with personal data. And like China, India’s bill contains data localization requirements. But a tussle between innovation and data retention threatens this balance. Growing demands from the United States to change course on data localization, given US economic interests particularly American technology companies, has pushed New Delhi to relax its stance on localization.[8] New Delhi’s pushback suggests that India’s trade relations will constrain domestic data preferences that instinctively bend toward localization.

Push for data localization

In India, the demand for data rules anchored on localization is institutionally driven. Localization enables data access. The BN Srikrishna committee that issued a report on data protection, on which India’s draft data law is based, recommended localization to safeguard data access. That said, the trend towards localization, however, predate these new policies. Data protection provisions go back to the 2000 Information Technology (IT) Act and the 2011 Information Technology Rules that defined sensitive data and clarified norms for data collection. With limited broadband penetration and wireless usage, despite a services-based economy, there was limited impetus to facilitate open data flows. Instead, the reverse desire to hold data continued through successive government measures.

In 2012, India enacted a National Data Sharing and Accessibility Policy (NDSAP) that mandated all government data be stored in local data centres. In 2014, India’s National Security Council instituted data localization, requiring all email providers establish local servers for their India operations. And in 2015, India’s Ministry of Electronics and Information Technology (MEItY) obliged cloud providers seeking government contracts to store all relevant data in India. The meteoric rise of digital financial flows and the intermittent use of foreign platforms to conduct transactions has bolstered localization. In April 2018, the Reserve Bank of India (RBI) mandated withholding payment data even if payments are processed outside India to the annoyance of companies like Visa, Mastercard, Amazon and PayPal. Data access, for Indian officials, serves as a bulwark against potential cybersecurity threats. Moreover, localization provides government officials control over data when required instead of requesting or waiting for it from external sources. This preoccupation will constrain India’s data policy given cybersecurity risks to the state and citizens.

A need for data storage reinforces localization. The storage angle is being pushed by Indian states who view data policy through the lens of jobs and development. Uttar Pradesh (UP) could become the first Indian state to compel technology companies like Amazon, Facebook and Flipkart to store data of their residents within the state. UP plans to store data in newly constructed data centres that they hope will generate new jobs. Whether enough jobs will be created from data storage centres is an open question; moreover, doubts exist on whether Indian states can run such data centres. Notwithstanding these qualms, other states like Andhra Pradesh and Telengana are exploring new data centres to house their data. A key factor driving this push within Indian states is the rapid penetration of 4G technology that has caused a dramatic rise in wireless data usage given dropping costs. These states believe storage and localization could force high-tech companies to shift activity to their borders.

Having fully functional data processing centres could power India’s growth over the long run. India’s digital economy generates $200 billion per year largely from digital services covering activities like business process management, digital communications, e-commerce, digital payments and direct subsidy transfers. Estimates suggest India can create over $1 trillion of economic value from the broader digital economy by 2025 from these services and other sectors should they digitize as expected. Some sectors like health, agriculture, logistics, education and energy do not have technology drive their operations but potential exists to change how they operate. This potential digital revolution could create a vast market space encompassing digital services, platforms, applications, content and solutions. Making data available, as a result, could catalyse digital entrepreneurship.

This latter desire is reflected in India’s proposed e-commerce policy that also imposes restrictions on cross border data flow. The e-commerce policy extends to cover a whole range of data provisions that affect digital commerce – source codes, data monetization, payments, intellectual property rights, privacy, data anonymization and search engine regulation. The vast expanse of the e-commerce policy suggests that the Modi government views e-commerce openly, not purely in terms of transactions but as an infrastructural issue that could transform India’s economy via digitization. New data facilities could spawn firms in areas like artificial intelligence, 3-D printing, robotics, analytics and data intelligence, generating new industries and jobs across the country. And these firms will necessarily push for sovereign data rules that protect their interests. These domestic political factors will influence India’s data policy that could seesaw between more and less localization.

India’s data policy will confront various pressures at global, national and state levels where security, economic and political considerations intersect. Undeniably, the resultant design of India’s data policy will impact India’s economy (pace of innovation and productivity, digital ecosystems and jobs) and foreign policy (India’s relations with the United States, EU and China). It will be interesting to see what gives.