Introduction
Through multilateral diplomacy at the World Trade Organization (WTO) and other forums, India has placed itself at the centre-stage of the global battle on data governance. The pillar of its foreign policy vision in this domain is the principle of “data sovereignty”, which supports the assertion of sovereign writ over data generated by citizens within a country’s physical boundaries. Corollary to this idea is the call for greater attention on “data colonialism”, or the extractive economic practices of Western technology companies seeking to consolidate their market power at the expense of individual users in the developing world, who are, to begin with, the creators of this data.[1] Given its massive population, economic heft, and rapidly rising number of internet users, India has a unique opportunity to navigate the existing fissures in global data governance and create a meaningful impact on rule-shaping in this space. It has taken strong positions in WTO debates, including to assert that any rule-making on data governance outside the consensus-driven model of the WTO will dilute the voices of emerging economies and suppress their sovereign right to frame rules that further their citizens’ best interests.[2]
The ideal of “data sovereignty”, and global attempts to leverage it, has come under heavy criticism from various stakeholders who are of the view that the concept violates the principle of “free and open internet”. They also argue that “data sovereignty” hampers innovation and economic growth, and is a ruse for authoritarian digital governance.[3] To be sure, these arguments could be valid depending on the legal and regulatory frameworks they lead to.
In India’s diplomatic framework, however, data sovereignty is a broad vision, and not a specific policy prescription. While this vision could be misused to realise the possibilities listed above, it can and should be championed to remedy existing inequities and reconceptualise a digital world that will work for all stakeholders across geographic and socio-economic divides.
This brief ponders how India’s vision can be converted into policy prescriptions and negotiation strategies to benefit, foremost, individuals and communities in India. This vision must be rooted in the ideals of the Indian Constitution that does not seek to place power at the hands of neither the State nor private parties. Rather, it provides a robust framework for the safeguarding of citizens’ rights along with a call to action to state actors to remedy structural inequalities.
India’s digital sovereignty vision has three pillars: first, a push to leverage data as a key tool of economic growth and development by asserting regulatory oversight over the practices of multinational private actors; second, a domestic push backed by a global diplomatic gambit to prevent the inequitable construction of digital trade rules; and third, the leveraging of data security in bilateral security disputes. While the policy formulation and implementation of India’s vision is still a work in progress, the desire to shape the global data governance architecture—“the governance of data between states, non-state actors, and individuals while managing data flows across territorial borders ”[4]—and the intent to sustain these rule-making efforts is apparent.
Current Debates
The WTO’s legal architecture was inked in the pre-internet era and not designed to sufficiently regulate the nature of present-day data flows.[5] There was some initial discussion on e-commerce in the WTO’s early days, with the first ministerial conference in Singapore (1996) seeing members agree to increase world trade under the organisation’s framework.[6] At the Geneva ministerial in 1998, members adopted a global declaration on e-commerce that set up a comprehensive work programme and imposed a moratorium on customs duties on electronic transmissions.[7] According to some members, however, the work programme made little progress in the next two decades.[8] Therefore, in the build-up to the 11th ministerial conference (MC11) in Buenos Aries in 2017, several proposals seeking to alter that programme were put forward.[9]
At the end of MC11 in December 2017, over 70 countries, including the United States (US), joined the Joint Statement Initiative (JSI) to “initiate exploratory work together toward future WTO negotiations on trade-related aspects of electronic commerce.”[10] Since then, the number of JSI participants has grown to 86, accounting for over 90 percent of global trade flows, with several developing countries signing on since 2019.[11] These include China, Indonesia, and the Philippines. Indonesia has said that while it does not agree with the JSI members on substantive issues, it is joining the JSI to act as a bridge between developed and developing countries.[12] The JSI discussions cover cross-cutting topics on digital trade, including market access and data flows, consumer and personal data, and e-commerce measures and regulations. The JSI endeavours to negotiate clear outcomes that will limit the trade restrictive measures that members can impose through domestic policy.[13] India has been a staunch opponent of the plurilateral JSI process and tried to revitalise the original e-commerce work programme instead.
There are, therefore, two parallel tracks for e-commerce negotiations: multilateral negotiations at the General Council through the work programme, which requires all WTO members to reach a consensus vis-à-vis any decision; and separate plurilateral discussions outside the work programme framework, thus avoiding the consensus requirement. On 14 December 2020, the members of the JSI circulated a Consolidated Negotiating Text towards the creation of a legal framework for governing electronic commerce at the WTO.[14] Further momentum was reported in July and September 2021 by the JSI convenors, Australia, Singapore and Japan, as members reached a consensus on open government data and online consumer protection. JSI members continue to stress that the JSI process is open and inclusive, and will work for the interests of the developed and developing world alike.
India and South Africa have been at the forefront of efforts to counter the JSI’s march forward. On 18 February 2021, the two countries circulated a joint communication criticising the JSI approach, and arguing that the initiative was legally inconsistent with WTO rules and was attempting to bypass the consensus model for driving a legally binding framework through the WTO.[15] They argue that the JSI must garner consensus from the entire WTO to be legally valid. India and South Africa’s argument is legally correct. Article X was incorporated into the Marrakesh Agreement that set up the WTO to prevent a limited group of countries engaging in clandestine negotiations and undermining the negotiation function of the WTO.[16] Thus far, this communication has had no impact on the efforts of JSI members who continue to maintain that the process is open to all. The resolution of this tussle between the two parallel tracks should be a high diplomatic priority for any country looking to shape the WTO data governance agenda, including India.
The JSI got a further shot in the arm at the G20 summit in June 2019 with the Osaka Declaration on Digital Economy that launched the Osaka Track. Fueled by then Japanese Premier Shinzo Abe’s battle cry of “data free flow with trust,” the Osaka Track complements the JSI process, aiming to double-down on international rule-making vis-à-vis the global digital economy in a manner that promotes data flows and reduces restrictions on e-commerce while augmenting protections for intellectual property, personal information, and cybersecurity.[17] Notably, China, the EU and the US signed on for the Osaka Track, while India, Indonesia and South Africa opted out—this signals a clear divide in the future of cross-border flows at the WTO, including among members of the JSI.[18]
Digital trade commitments are increasingly being negotiated outside the auspices of the WTO as well, through regional and plurilateral trade agreements. Three recently negotiated plurilateral trade deals comprise chapters on obligations on e-commerce and clear prohibitions on measures restricting cross-border data flows—the Regional Comprehensive Economic Partnership (RCEP),[19] the Comprehensive and Progressive Trans-Pacific Partnership (CPTPP),[20] and the US-Mexico-Canada Trade Agreement (USMCA).[21] Each of these contains obligations on the location of computing facilities and cross-border transfer of information by electronic means, along with exceptions to these obligations. The CPTPP rules on data do not prevent a member from taking measures in pursuit of a “legitimate public policy objective” even if these measures contravene the obligations set out in the provision, so long as the restrictions are not greater than that which is required to attain the objective. The USMCA has the same exception for the obligation on cross-border information flows but not for the obligation to not mandate location of computing facilities within a member state. In their respective chapters on exceptions, both the CPTPP and the USMCA allow members to derogate from an obligation in the agreement if they are doing so to protect their “essential security interests.” The RCEP provision on cross-border data flows has the broadest exceptions, possibly because it counts as its members several states that have imposed varying degrees of data localisation mandates. In addition to the general exception on “legitimate public policy objectives”, the text includes a specific reference to essential security interests within the chapter on cross-border flows itself. Unlike the two other agreements, this RCEP provision clarifies that if a member claims that a specific measure has been taken to pursue its “essential security interests”, this cannot be disputed by other parties.
Amidst the global multilateral and plurilateral tussle to set out rules for cross-border data flows, several states have issued domestic legislative mandates compelling data localisation—legal or policy restrictions on transfer of data beyond a nation’s physical boundary. At least 18 jurisdictions have imposed various kinds of localisation mandates.[22] The models of localisation may differ in the strength and type of the mandate, the type of data the mandate extends to, and the sectors involved. India has imposed a variety of mandates that have served as the domestic thrust of its data diplomacy push abroad.[23]
Apart from the debate on cross-border flows, there are two other core issues that act as critical fissures for India and other emerging economies both within and outside the JSI process. The first of these is opposition consistently voiced by India and South Africa to the continued renewal of the 1998 e-commerce moratorium on customs duties for electronic transmissions.[24] This was intended to be temporary but has been renewed every two years. They argue that the moratorium leads to revenue losses for emerging economies and greater dependence on products from the developed world; they are calling for a thorough evaluation.
Another issue is the restriction on national legal provisions mandating the disclosure of source code—i.e., the fundamentals of a computer programme.[25] Developed countries want to incorporate restrictions against this mandatory disclosure as they feel it could negatively impact business interests. For the developing world, however, denying policy space to impose mandates on foreign firms could hinder knowledge transfer and also prevent the state from adequately scrutinising technical systems to mitigate cybersecurity threats and evaluate the impact of algorithmic decision-making on their citizens.
Fundamentally, the debate hinges on a question at the core of global trade: How much of sovereign policy space should a nation give up in order to reap the benefits of the global trading system? Given that the digital ecosystem of the developing world is still nascent, the retention of policy space becomes imperative to ensure that the domestic regulatory framework responds to domestic technological and socio-economic concerns rather than mandates imposed through the WTO. For India, this is a high-stakes battle, both in terms of the evolution of its regulatory framework at home, and its economic and security posturing abroad.
India’s Data Diplomacy: Three Pillars
Existing literature often castigates India as an obstructionist power, whose naysaying and serial defensiveness at multilateral forums have damaged its global image.[26] However, recent empirical research on India’s past engagement with international forums shows this assertion to be simplistic.[27] While rhetoric on defending the interests of developing nations continues to resonate, the nature and scope of India’s engagement comes down to three factors: national interests; institutional capacity to negotiate the issue; and how domestic interest groups influence institutional views before and during negotiations.[28]
Pillar 1: India’s data for India’s development
The flagship ‘Digital India’ programme clearly views data as the cornerstone of India’s socioeconomic future—one where the government leverages the Indian citizen’s data for the benefit of the people themselves, and not solely for profit-making.[29] Thus, unsurprisingly, the edifice of India’s data diplomacy and its first pillar has been the assertive push towards realising the economic value of data at home. The significance of India’s data sovereignty has repeatedly been emphasised when framing its regulatory strategy and foreign policy posturing.[30]
An assortment of policies underscore this idea, albeit in principle, and requiring greater scrutiny when applied. Policymakers seek fair value for Indian citizens from the data they create—colouring data as a “societal commons”, “natural resource”, or “public good” without entirely addressing the implications of using these metaphors.[31] For example, an important regulatory innovation championed across several policy instruments is that of “community data”, furthering the notion that communities of individuals have rights to the data they generate. While noble, this conception is of little value without an appropriate definition of “communities”. Existing instruments, such as the report of the Non-Personal Data Committee set up by the Ministry of Electronics and Information Technology, either fail to define communities altogether or classify them with a sweeping brush—suggesting, for example, that users of ride-hailing apps may form a “community”, notwithstanding the lack of a common identity and purpose.[32] While domestic policy enthusiasm certainly propels rule-shaping abroad, it is not sufficient to facilitate meaningful rule-making in the absence of a thorough understanding of the design and import of domestic regulation.
Pillar 2: Cross-border data flows and digital trade
In keeping with its foreign policy tradition of actively shaping debates on global trade rules,[33] India has been an active participant in the ongoing contestation on regulating cross-border data flows. As mentioned earlier, India and South Africa have been the leading voices against the continued extension of the 1998 WTO moratorium on the imposition of customs duties on e-commerce transmissions. India has also frequently stressed the importance of continuing the WTO work programme at the General Council and eloquently opposed the parallel talks set up in 2017. As per a Business Standard report, while opposing the creation of the parallel rule-making setup, an unnamed Indian official specifically referred to cross-border data flows and the need for India to retain policymaking discretion on the issue.[34]
India’s localisation gambit is driven by clear strategic interests, the most significant of which are: ensuring that citizens’ data remains accessible to Indian actors—companies, individuals, and the government—so that they can derive value from it; and the slow and cumbersome process when Indian law enforcement agencies need access to citizens’ data stored abroad (largely in data centres in the US) for criminal investigations. The present Mutual Legal Assistance Treaty process that governs this access is now glacial,[35] and results in a brazenly inequitable situation where Indian law enforcement agencies investigating a crime committed in India—and with the primary suspect and victims being Indian—need to comply with US law (Electronic Communication Privacy Act) to successfully acquire the electronic evidence needed to conduct the investigation. Data localisation does not entirely solve the legal quagmire around these jurisdictional issues, but it does enable India to assert itself diplomatically and trigger a shift towards a more equitable data-sharing regime.[36]
Domestically, India has taken an “all of government” approach to data localisation through a number of cross-sectoral policies that impose restrictions on the cross-border transfer of data.[37] Like India’s negotiations at the Framework Convention on Tobacco Control, strong institutional views and institutional cohesion among government entities have played no small part in India’s robust stance globally.[38] There have also been significant and competing forces of influence from domestic and international pressure groups, which has shaped the evolution of the localisation mandate across policy instruments.[39]
India continued its assertive foreign policy approach at the Osaka Summit in 2019. Along with the other BRICS countries, India emphasised the crucial role data plays for the development of emerging economies and refrained from signing onto Osaka Track.[40] Then foreign secretary Vijay Gokhale clarified that rulemaking on data transfers should not take place outside the aegis of the WTO General Council as it would dilute the voice of emerging economies in framing the debate.[41]
It is worth noting, however, that India softened its stance on data localisation wherever it served its strategic interests to do so. While negotiating the RCEP (which India opted out of for reasons other than digital trade issues), divergences on cross-border data flows were a key focus.[42] At the Bangkok negotiation rounds in October 2019, India initially blocked the financial services and e-commerce chapter, as complying with these rules would not have been in line with India’s “essential security interest and national interests.”[43] However, a few days later, India diluted its stance and allowed the chapter to pass on the condition that the exceptions on “essential security interests” and “legitimate public policy objectives” were included. This flexibility in approach will be tested as India negotiates future trade agreements, including free trade pacts with the European Union (EU), United Kingdom (UK), and the US.
Pillar 3: Securitising the economic
The final pillar of India’s data diplomacy has been predicated ostensibly on safeguarding its citizens’ data from external threats. In the aftermath of tensions at the India-China border in June 2020, India banned over 200 Chinese apps that were being used by “elements hostile to national security and defense of India, which ultimately impinges upon the sovereignty and integrity of India.”[44] The wording of this press release has been adopted from the provision that enabled the ban—Section 69A of the Information Technology Act, which in turn derives its semantics from reasonable restrictions to freedom of speech and expression under Article 19(2) of the Constitution. While the press releases accompanying these orders stressed on the emergency measures being integral to the protection of citizen interests, it is clear that these restrictions are also being used as an economic tool against the Chinese threat in the security realm.
This blurring of lines between the economic and security realms has been observed by international relations scholars commenting on the last decade, and India’s harsh data diplomacy approach to China appears to be going the same way. These actions are also a defensive tool, preventing the extent of Chinese encroachment into India’s digital ecosystem.[45] Various concerns have been raised about the Chinese Communist Party’s influence over the country’s private sector under President Xi Jinping.[46] The 2017 National Intelligence Law also imposes an obligation on Chinese companies to “support, assist, and co-operate”[47] with China’s intelligence-gathering authorities, although some scholars have argued that the law is not “black or white,” and sometimes companies do push back against government request for access to data.[48] Along with the restrictions on Chinese investments and possible restrictions on Huawei’s participation in 5G trials, it is clear that the limits on Chinese apps is part of a larger decoupling strategy, one that is likely to shape the more aggressive spectrum of India’s data diplomacy strategy in the years to come.[49] Strategising this approach effectively to minimise economic costs for, and harm to Indian consumers while cementing concrete reputational and security gains will be integral to India’s ‘data sovereignty’ vision.
Shaping the Way Forward on Data Diplomacy
In data governance and the diplomatic strategy required for it, the economic, security and developmental ramifications cannot be artificially segregated given the all-encompassing role of data. Crafting norms for the digital world has been a challenge for the global community, with the world split into two ideological camps—the first led by the US, which believes in unrestricted flow of data, taking a laissez-faire approach to government intervention and protection of international human rights online with multistakeholder feedback; and the other championed by the Russian and Chinese philosophy of “information sovereignty”, which allows states to define their network frontiers and regulate them as they see fit, bearing their sovereign interests in mind. The EU is perhaps shifting away from the US camp towards a third way—one that appropriately regulates multinational companies to further public interest while still championing civil liberties online and cross-border data flows with minimal restrictions. India has often been regarded as a crucial “digital decider” in this space, and its diplomacy is likely to define this regime for years to come. India can achieve this in the following ways:
Protect constitutional ethos and democratic fibre at home.
The fulcrum of India’s data diplomacy should be predicated on the rule of law and the genuine protection of fundamental rights enshrined in the Constitution. A commitment to the rule of law and accountability for all actors sets India apart from present adversaries like China and offers an opportunity to burnish its reputation globally.
India’s surveillance regime is in urgent need of reform. The present legal framework allows various government entities to access personal information in the absence of judicial or parliamentary oversight. Section 35 of the Personal Data Protection Bill, under consideration by the Joint Parliamentary Committee, does not ameliorate the legal framework.[50] It exempts government agencies from obligations under the Bill whenever the Centre feels it is “necessary or expedient” in the “interests of sovereignty and integrity of India, national security, friendly relations with foreign states, and public order.” The phrase “necessary or expedient” provides capacious room for discretion and does not comply with the “necessary and proportionate” standard laid out by international human rights law.[51] This is a missed opportunity. Consider the recent decision of the Court of Justice of the European Union in the much-celebrated Schrems II case—restriction on data transfers to the US, as the judges held that the lax US surveillance regime failed to guarantee the privacy of EU citizens.[52] Through this judgment, it sent a strong message to the world, that the privacy of EU citizens will be protected from external threats as robustly as it is within the domestic jurisdiction of the EU.
India’s constitutional fibre is certainly as rich as that of the EU’s, and it needs to be utilised more concretely in the digital realm to protect citizen rights and set itself apart from the more autocratic processes in countries like China. India’s constitutional ethos not only guarantees civil liberties but also underscores socioeconomic empowerment and the reduction of power asymmetries. Large technology companies have been the beneficiaries of burgeoning power asymmetries brought about by a lack of effective regulation, particularly in emerging economies. India’s digital sovereignty vision has already captured this and should continue to ensure that these companies do not compromise on public interest to retain their positions in the financial pecking orders. India must be wary, however, of impulsive solutions that simply transfer the levers of power from foreign digital titans to Indian ones at the expense of smaller businesses and consumers. Sovereignty enables a legitimate government to enact laws but a commitment to constitutionalism should keep that power in check.
The same standard should apply to the slew of policies on data governance. There are several contrasting views on these policies, each of them bona fide and important. Devising effective regulation on emerging technologies requires rigorous consultation. While all government policies are open for consultation, it is imperative that these are meaningful and genuine. The views of all interested stakeholders should be debated, evaluated and reflected upon, which is the essence of India’s vibrant democracy, and should form the centrepiece of ideological moorings abroad.
Ideology matters abroad must adopt a principles-based approach to data governance.
External Affairs Minister S. Jaishankar has emphasised the need for policymakers to consider the merits of realism in India’s approach to world affairs.[53] This is undeniable—any aspect of India’s foreign policy must be tied to its core strategic interests. One might argue that ideological grandstanding may come at the cost of political flexibility. However, in a nascent global governance regime, like that on data, ideological commitments and strategic interests go hand in hand. Consider the evolution of the doctrine of Permanent Sovereignty over Natural Resources (PSNR), which was articulated by the recently decolonised developing countries in the 1950s to claim ownership of natural resources in their territories.[54] The articulation was fueled by concerns that orthodox international law disciplines, such as foreign investment law and the law governing the high seas at the time, undermined the exercising of the state’s sovereign rights, favouring capital exporting states and corporations.[55] Through the PSNR, developing countries asserted an ‘inalienable,’ an ‘absolute’ and a ‘permanent right’ over their natural resources.[56] Adopted in 1962, the PSNR, as it currently stands, has evolved over several decades,[57] and sought to balance the rights of capital exporting and importing countries by limiting expropriation only to instances where it was based on public interest and appropriate compensation was paid.[58]
India’s contributions to the PSNR’s evolution are fascinating. While firmly entrenched in the coalition of developing countries that battled for it, India was not entirely opposed to the use of foreign technology and foreign investment.[59] However, it remained firm and submitted several proposals to further the case that citizens of the developing world should be the prime beneficiaries of resources around their land borders.[60] As the PSNR became a core doctrine of international law, India was able to use it to negotiate outcomes favorable to its interests across legal regimes, including investment, climate change, and law of the seas.
The world is at a similar impasse, where the political economy of data requires an overarching ideology for data dividends to be distributed equitably. India is not the only emerging economy serving as fodder for Big Tech’s exploits. The African continent has fallen prey to both US and Chinese tech giants, at the cost of their indigenous tech development and economic empowerment.[61] Articulating a principles-based doctrine to tech governance that accounts for these power asymmetries wills India to bring other interested actors on board. It will also not confine India into making commitments, as principles-driven ideological commitments should be broad enough to retain strategic autonomy, while reiterating India’s commitment to regulating Big Tech to foster citizen empowerment and protect human rights.
Join coalitions and find compromise.
In June 2020, India became a founding member of Global Partnership on Artificial Intelligence, a coalition set up to chart out rules of the road for the governance of artificial intelligence (AI).[62] It comprises all G7 member countries, South Korea, Singapore, Slovenia, and the EU. Barring Slovenia, all other countries have signed on to the Osaka Track, thereby implicitly endorsing the development of rules on the global free flow of data. Notably, the global AI partnership excludes both China and Russia. It is unclear from publicly available information how exactly India plans to shape this coalition; but importantly, it is in the room.
India should also look to build new coalitions on data. The Quadrilateral Security Dialogue with Japan, Australia and the US, for instance, is an interesting prospect. While it originated as a security mechanism, recent commentary suggests that it aims to do much more.[63] Australia has already invested AU$500,000 to support the development of a Quad Tech Network that focuses on cybersecurity and sensitive technology issues, including AI.[64] The Quad Principles on Technology Design, Development, Governance and Use articulated after the first in-person meeting of Quad leaders is an important step in that direction, although the substantive content needs more specifics.[65]
The larger point is that values-driven coalitions of this nature matter. They serve as important forums for exchanges of democratic practices while also serving as a bulwark that can preserve India’s security interests in the digital sphere against adversaries such as China. India should also look to leverage this network to shape discussions and use this as a step-stone to negotiate norms at the international level.
Indeed, negotiating always entails compromise to some extent. In the past, India has engaged in reciprocal compromise based on strategic interests.[66] At the WTO, however, India has remained steadfast in its opposition to any e-commerce talks outside the General Council Framework. While this resistance should be applauded, states are willing to eschew the WTO and create rules on trade in e-commerce at other forums, including regional trade agreements, given the ongoing stalemate.
Continuing its present approach will deny India a crucial opportunity to shape and propose alternatives to rules that will inevitably end up impacting how it engages with an inter-connected world. The flexibility it demonstrated with RCEP, where it allowed the retention of the prohibition on localisation with a broad exemption to accommodate its interests, is the example to follow.
Further, India need not remain in the trenches against an ‘all or nothing’ deal that forces it to adopt consensus-based rule-making on all issues of digital trade. Instead, India should push for the modular approach adopted by the Digital Economy Partnership Agreement (DEPA) between Singapore, Chile and New Zealand. Members can decide on an assortment of modules they want to comply with.[67] Such an arrangement could push the needle towards the creation of a global legal architecture but one that is enforced incrementally as emerging economies like India ferment and implement domestic frameworks that work in their interests.
There may be other cases where signing up for a coalition could entail committing to pre-defined outcomes like with the Osaka Track on data free flow. In such cases, it may be wise to opt out, as India has done.
Burnish the ‘all of government’ approach.
India’s most pointed global negotiations must be driven by clearly defined strategic interests, a robust institutional setup that channels the expertise and involvement of all government institutions, and equally respects the voices of several domestic and external pressure groups.[68] However, there is scope for more concrete domestic regulation stemming not just from nodal ministries but also from judicial and quasi-judicial institutions. The Competition Commission of India (CCI) has an important role to play in the evolution and implementation of sound competition policy that empowers smaller businesses in India while keeping the power of big technology companies in check. The Ministry of External Affairs’ New and Emerging Strategic Technologies Division could play a nodal role and coordinate inputs from the various government entities regulating different aspects of data governance.[69] When navigating the complex fissures in a rapidly emerging regime, internal cohesion and engagement are crucial. India should remain steadfast in its digital sovereignty vision while being open to feedback on its precise contours.
Conclusion
The views expressed above belong to the author(s). ORF research and analyses now available on Telegram! Click here to access our curated content — blogs, longforms and interviews.
PDF Download
PREV
