Expert Speak Raisina Debates
Published on Oct 26, 2022
The general impetus seems to be control of data flows by nation states and not protection of data and privacy
The international politics of data: When control trumps protection The last few years has seen India champion data localisation worldwide. From crafting rigid measures in areas like banking and e-commerce that mandated domestic retention of data, to the protracted process that began in 2017 to create a data protection law that would have legislated this retention, to rejecting ostensibly liberal rules governing data flows at the G-20, WTO, and RCEP—India has endorsed a muscular form of digital sovereignty anchored on data that, initially, elicited intense opprobrium. The United States (US) and large US technology firms were openly critical of Delhi’s obdurate attitude on data sovereignty, deriding it as an ‘overreach’ that restricted digital trade, undermined privacy, and rebuffed intellectual property rights. These reproaches are heard less now as the international politics of data tilts from a patchwork of different, uneven, and inconsistent preferences on data flows to a growing, yet inchoate, convergence that emphasises data control over data flows and protection.

The United States (US) and large US technology firms were openly critical of Delhi’s obdurate attitude on data sovereignty, deriding it as an ‘overreach’ that restricted digital trade, undermined privacy, and rebuffed intellectual property rights.

Globally, governments generally seek more control over data through new legislations and rules as evidenced by the policy shift globally towards data localisation and increasing barriers covering data flows. It appears as though a genuine desire to ‘protect’ data or the privacy of users online has passed; the policy focus now, for most governments, is to create data enclaves where domestically harvested data can be leveraged for economic benefit. Notwithstanding India, which proclaimed a clear preference to localise data, other key ‘data’ markets like the European Union (EU), South Korea, and China are now deploying forms of localisation to govern their digital economies, and are relatively less concerned with privacy or user rights. Data localisation manifests in various forms—mandating firms to locally manage and store data while prohibiting transfers (China, Russia); expecting firms to retain a copy of data locally (India); permitting data transfers provided both countries have adequate safeguards (EU, Brazil). Countries that were not regulating or were using less onerous measures to manage data flows to ensure some protections exist, given privacy concerns, now appear eager to craft robust rules that direct and redirect data flows internally.

India and South Korea have data regimes anchored on the government serving as the principal custodian, directing and coordinating domestic traffic on data flows and sharing.

The dominant trend in global data politics now involves countries and jurisdictions that have open thriving digital economies like the EU, India, Indonesia, South Korea, and Vietnam moving to institute restrictionist measures to control, not protect, data, despite other options. Through the 2022 Data Act, EU officials intend to craft a digital industrial policy that creates a massive single market for data, accelerating data sharing within, not outside, the bloc. India and South Korea have data regimes anchored on the government serving as the principal custodian, directing and coordinating domestic traffic on data flows and sharing. Indonesia and Vietnam are finalising data protection frameworks that use cybersecurity challenges as a pretext to entrench data regimes that largely service the state’s digital agenda. Such interventions generally involve regulatory restrictions vis-a-vis data through arcane administrative rules that palpably raise burdens on foreign firms and their operations while easing them for domestic firms.

The trend is to control not protect data 

Why are countries looking to increase their control over data? States regulate data to ostensibly protect national security by storing data internally, provide domestic firms access to user (and anonymous) data to boost competitiveness, ease law enforcement’s qualms when accessing data, and ward off foreign digital dominance and surveillance. These conditions matter and have possibly contributed to how countries figure out their data governance, especially policies covering data flows, as digitalisation continues apace. The presence and proliferation of cyber threats has amplified the importance of having robust policies to protect data yet the impetus while legislating appears to swing toward securing and distributing access to data for commercial purposes, not safeguarding the rights and interests of users online. Limited evidence exists to back national security and law enforcement proponents who claim data is secure when domestically present; in fact, the opposite may be true in countries that have serious cybersecurity gaps or where data cannot be easily identified or excavated. It also appears difficult to shed digital dependence on a specific country through data localisation; foreign tech firms might find the process of processing and managing personal data difficult given localisation rules but that constraint will be weighed against the prospect of exiting that market altogether.

The presence and proliferation of cyber threats has amplified the importance of having robust policies to protect data yet the impetus while legislating appears to swing toward securing and distributing access to data for commercial purposes, not safeguarding the rights and interests of users online.

Why does control trump protection as the rationale for drafting data policies? Control gives states more power when confronting and resisting big tech firms; states can use law to grapple with and constrain the burgeoning powers of big tech that generally hinge on their capacity to harvest and deploy extraordinary amounts of data collected by their platforms and services. Control allows states to hold big tech accountable while operating in their digital economies making them accede to domestic, not US law; hold them accountable for the data they collect and use; hold them accountable for increasing their market power over key domestic industries; and hold them accountable by creating new digital infrastructures that instill competition where smaller players have ample opportunity to develop services and applications for digital consumers.

China’s Personal Information Protection Law (PIPL) has a strong data localisation provision that requires the storing of personal information in China with transfer only contingent on prior assessment by the Cybersecurity Administration.

The implications of this emergent trend for global governance, international trade, and internet governance are immense. Should this trend persist, it will make it difficult for countries and prevailing multilateral frameworks to craft global norms and rules covering data as countries prioritise the extraction of data over its protection and transfer through safe and accessible pathways. The EU is instituting laws and directives to assert sovereignty over its data and regain some digital independence. China’s Personal Information Protection Law (PIPL) has a strong data localisation provision that requires the storing of personal information in China with transfer only contingent on prior assessment by the Cybersecurity Administration. South Korea’s data protection framework, especially the Personal Information Protection Act, binds any company or government agency seeking to transfer personal data outside South Korea. As data becomes increasingly governed by complex national regimes, and possibly byzantine regulatory structures, the ability to find and exploit trade-offs that can be coordinated through mutually acceptable rules will likely diminish. Achieving data interoperability through a multilateral instrument could become hard as the domestic politics of data turns sharply inward. Digital trade will become an issue that countries discuss bilaterally or minilaterally through like-minded frameworks like the Quad, IPEF, or CP-TPP, where the prospects for finalising and syncing frictionless standards are high. For internet governance, policies that amplify data control could lead to new forms of digital statism, where the state becomes the leading, and possibly central, mechanism driving digitalisation through the introduction of laws, regulators, institutions, and infrastructures governing the digital. We might be on the cusp of an age of digital leviathans.
The views expressed above belong to the author(s). ORF research and analyses now available on Telegram! Click here to access our curated content — blogs, longforms and interviews.