“I’m worried”, a participant at ORF’s Round Table on ‘India at the Crossroads: Unlocking the Nation’s Digital Potential’, said. “I’m worried about the Personal Data Protection bill being a miss, and creating more turbulence. I’m worried about bilateral trade discussions, and that this issue [data localisation] will become the new issue in trade fights. I’m worried about bureaucrats on both US and India sides not understanding technicalities [of data governance]. I’m worried about protectionism. Is it about law enforcement access, privacy or giving Indian companies a competitive advantage? I’m worried about data being treated as currency or oil. The [Indian government’s idea of] monetisation of [personal] data is a very provocative thought, and that flies in the face of protecting peoples privacy. It’s an analogy that not everyone accepts.”
[Note that the discussion was held under the Chatham House Rule, where comments may be reported, but without attribution. We’ve also moved the sequence of comments around, to further protect the identity of the individuals who spoke.]
The “‘Data Sovereignty’ ideology”, another participant pointed out, “appears as if we’re going backwards”. The point of data sovereignty came up repeatedly during the discussion, at one point, as a more positive and palpable phrase than ‘Data Localisation’, before a speaker pointed out that the idea of sovereignty can also be taken in another context, hinting that it may apply to the supreme power of the state over citizens. Indeed, some participants tried to position data as the new oil, or as a state resource, and more pertinently, “Data is a factor of production, leading to the conditioning of development.” I countered that, reminding people in the room that “My data is not your resource”.
Comment of the day (in my opinion): “The same businessman who made a plea for data being oil has imported oil his whole life.”
Other notes from the discussion, mostly paraphrased:
Digital is critical to India’s growth
- The PM [Modi] is right about the intersection of [tech] policy and development. Villages are more connected, and those populations are having the benefits of an interconnected world.
- The manner in which the govt sees the Internet, it does regard it as a public good. It hasn’t strongly come up with these assertions, but going by the manner in which it has built a string of platforms, such as Aadhaar, GSTN and UPI, it believes in creating some of these digital platforms from the ground up.
- The rules of engagement are still being drafted. The government is making big political statements, that are nice vision statements, that people can hold on to. You need to look at the Indian market in a different way. If you look at this government alone, in the last 5 years, it has come up with digitally enabling empowering tools: Aadhaar, Jan Dhan, GST. All these tools look at attempting to fix problems of an unusually large scale. India is way ahead in terms of delivery at a mass level. India is not lagging the tech curve in terms of delivering to people. These wouldn’t have happened without any rules.
- Is policy trying to fix a market failure, rather than an overarching approach to what India needs? Not enough thought goes into cost-benefit. Do we have the capacity do deliver? It’s wrong that the largest players are not being heard? My response: Market failure or cost-benefit analysis don’t matter when there is an ideology at play. For the first time over the last few governments, we have one that has an ideological approach to technology policy, and that is of viewing data as a national asset, and technology and data as an enabler for delivering government services and Indian business growth. Rights are almost irrelevant in this construct, and we must remember that this is a government that argued against a fundamental right to privacy.
- The base document is MEITY’s document of the Indian Trillion Dollar digital opportunity. That’s the Indian plan. It is similar to what China has done.
- The tech sector has done a poor job of articulating the role of technology, where platforms are the new railroads. There would be no startup ecosystem without AWS. Your local innovation system runs on international technology. There would be no apps potential without Android. We have to do a better job of articulating our role. My response to this point: Platforms may be railroads, but what the Indian government wants is its own railroads, which is where the data sharing with Indian businesses approach comes in.
- There is a misinformed debate, when it comes to the idea that “Data is the new oil”. The way in which the analogy was used was very different from what Indian bureaucrats are using this analogy. Ministers are looking at data as similar to Saudi Arabia’s oil reserves. The whole foundation is flawed, and still, policy documents are starting with that statement. The minute we are basing our policymaking on that analogy, we are getting it wrong.
India, the US and data governance
- These [localisation] policy changes are really an expression of economic nationalism. It began with China, the US is leading it now, and when the two largest economies bring this up front, it becomes the overriding theme.
- India wants to take the fourth path, and strike an independent trajectory which borrows from the best of the other 3 paths. The US is market driven, with a muscular and powerful private setup, the EU is more prescriptive in regulatory framework and is rights based, the China model swears by digital sovereignty and is inflexible. India is a mish-mash of these three models. The endeavour is to try and build a unique and distinctive model which appeals to the local milieu.
- The fourth path is not without its share of contradictions. It’s at odds with the horizontal approach, in terms of data localisation, which runs counter of the horizontal approach of the data protection policy.
- At the G20 and the issues that cropped up, cross border data flows is just one case study of how difficult this is. You have the European model, what PM Abe rolled out (DFFT). India wasn’t a signatory to that.
- We have to come to some arrangement on how wealth created through data is shared You have OPEC for Oil, you have indexes and other systems. Even if we go with that analogy, there is a complete lack of arrangements that manage the flow of data: An arrangement that benefits data owners, the territories that data is generated from and the international system. The more we delay it, the more national governments will intervene and overreach
- American IP has prevented the flow of data as well, in the sense of allowing open access. Pricing models are also barriers to access. Aaron Schwartz’ death was expected to lead to a rethink of American IP laws but it hasn’t. If we don’t change [the US approach to IP], we are going to see more closed borders.
- We (India) are mocking China in our systems but we are all aping China in our actions.
- In the global trade governance, we are still obsessed with goods and services, and not intangible assets like IP and data. What are the global constructs for global trade on IP and data? What is the new global trade regime, and how does it apply to intangible assets?
- We are hurtling towards a situation which might amount to the country being hugely protectionist in its approach. This is critical in our overall worldview. Would India continue to play an important role in the global scheme of things? It also seems apparent that the government does understand and appreciate the need for growth, creating more job opportunities and striking an a strong protectionist posture here.
- Foreign companies in e-commerce believe that the small traders and shopkeepers should not be heard. However, it’s not that India is against foreign business. India is against business. It has 1900 minimum wages. Don’t look at yourself as the only victims. Even Indian companies are anti-nationals in the Indian economic structure.
- There is a need for a global framework for enabling data sharing. In 2022, when India gets presidency of the G20, can there be a framework for this. The lack of a framework damages trust, local economies.
- Internationalism: we have grown and unleashed what we’ve done because of our integration into an international framework. If we lose sight of that, and then we cede space to other influences that want to erect a protectionist barriers.
- On emerging tech: a possible solution (to localisation) is having a strategic partnership between the Indian arm and the US arm of the same company. When we design policies like localisation, can we make sure that any such engagement between US and India tech is possible? The impact of GDPR on emerging tech is becoming a discussion point in the EU as well.
- There’s a lack of trust between the government and the industry. The industry looks at things from its own perspective. We need a balance. We need to design an interface between India and other countries.
- What’s happening in India is a reversal of internationalism. When we look at books like the world is flat, we are talking about all the gains we made since 1991. It’s dangerous for a developing country like India.
- At times when the rules come out in India, it appears that they are aimed at specific US companies, but they don’t apply to Indian companies who are multinationals in their own right.
- With data localisation, what it means for different groups in the industry is different. It’s different for social media companies, payments processors, banks, and that hasn’t really been thought out. Can we disaggregate data? Commercial data, critical data: it might be easier to achieve an agreement with the US if we do that.
- We need to start focusing on an international framework for the digital world. The framework will have to be led. There’s a body of work on cybercrime, security norms need to be in this created.
- The India and the US, have a large data trade. Can we not work together to try to share what we’re thinking so it can facilitate business growth? We need to hurry up but the opportunity exists.
- The issue will get expedited if we are able to initiate a dialog between the India and US on the cloud act. We should initiate the dialog. That will have an impact on the privacy aspect.
- US Companies are employing half a million people or more in India. The key now is not to mess it up. There is some concern about that.
- An issue is that, at the moment when you talk to US about a special conversation on tech, they don’t want to talk. They go to the UK etc. They see India as a visa issue and a market access issue.
- There’s cooperation between India and the US on infrastructure, energy and digital connectivity. We have to look at that we have as a bilateral process between the US and India. We have the UN GGE, there is APEC (where India is called as an observer). We can work on the rules of the road for the Internet and flows of data. At the G20, Japan put forth the data trust initiative, which India didn’t subscribe to. On the Indo-Pacific side, the 5G conversation is going to be very important. We have the same concerns about the Chinese companies and the system and we are cooperating on that. We can find common ground on that issue.
- When we started the nuclear deal, there were no champions. There will need to be champions in the government for cooperation between India and the US.
- We see eye to eye on a lot of threats in the neighbourhood. We have a parallel process in the ICT working group. That hasn’t met in a considerable amount of time.
- India should consider adding to the Cloud Act.
- If you’re looking at the digital silk road that is coming up, it is as constricted as the physical silk road. It’s BRI in optical fibre. You will have Huawei. There will be a point when China will has its partners to create its own exclusive sphere. Where are we? We should look at an Indo-US agreement and it shouldn’t be as tightly scripted as a nuclear deal. Look at an agreement that harmonises two systems.
- The only actor with an Indo-pacific strategy is China
- The way we need to look at the Indo-US relationship is that there is an opportunity, in terms of aspects like AI and ML. We have the scales, but there’s a technology gap between the two. Standards and testing, law enforcement, cyber diplomacy and capacity building.
- The base document for India’s approach is MEITY’s document of the Indian Trillion Dollar digital opportunity. That’s the Indian plan. It is similar to what China has done.
Concerns about India’s processes and interactions with the government
- Consultation is really key. When I look at the missteps and the RBI circular, it was just lack of consultation. As industry critiqued it, it hardened its position. One wonders if the RBI FAQs that came out in 2017, would we be in the fight we are in, in terms of localisation.
- We need to avoid situations like with e-commerce (Press Note) where we woke up one morning and found that the rules have been changed.
- Lack of consultation is a breach of process. That has taken policymaking to new lows. We’re a democracy, and whether we are a foreign company or a national company, we have a right to be a part of the policymaking process. National companies are foreign funded too. This kind of breach of process [where doors are locked and bureaucrats check your business cards before allowing you into a meeting], divisions serving narrow interests are harming our interests. Do we want to become a country that is taking a stand on digital commerce, or do we want to go down a path where we will go back on innovation and turn the wheels back on globalisation.
- The RBI FAQs won’t stand up in a court of law.
- On the emerging data privacy legislation, has there been enough consultation? Are we going to see legislation that will fly globally, or see new set of disputes and trade actions? I worry about that. There can never be enough consultation.
- We see grand statements, of 1 trillion digital economy, but what are the incremental steps to reach those milestones? Plans don’t see the light of day. What the govt needs to do is rationalise a bit on the grand vision statements, build institutional frameworks and build processes that stand the test of time.
- Delaying the draft privacy bill is not useful. If you give people vacuum, they will chip away at your space bit by bit. Everyone decided to come with their own regulations. [The data localisation order] is a product of the fact that there wasn’t a comprehensive legislation in place.
- What was flawed [about Press Note 2] was that regulatory intervention came in after the [Walmart] investment came through, it shouldn’t be midway through the business cycle. Battlelines have been drawn.
- Two things that may be a nightmare for a policy person: policy paralysis, and the other is policy excessiveness, or an oversupply. There has been an over supply over the last 1-1.5 years. There’s policy uncertainty of a different kind. We’re seeing instability, which is bad for the economy. Oversupply is bad or perhaps worse. There’s regulatory overreach and blurring of lines of jurisdiction. There should be consensus building.
- It’s concerning that we’re being given lessons in nationalism just because we work for American companies.
- At times US companies go and make representations without having consensus. When they give mixed signals, they get mixed signals back. No frameworks work if we have one or two companies outside the framework.
- Even when we don’t agree on policy, if there is transparency, it will be fine.
- What instills confidence is a strong institutional framework built on the edifice of strong fundamentals.
- As long as the govt makes space for an open and transparent dialog across policies, that helps. We come in with our arguments and with our degree of constructive criticism, and the value we bring in showcasing the best practices happening across various parts of the globe.
Security and Law Enforcement Agency issues
- Cyber incidents have gone up significantly, especially from India
- When AI led attack starts, the issues of security scenario are going to be much more complex. The security scenario in the IoT world is going to be much more complex
- When tech becomes complex, it won’t be possible for any agency in any country to not work with the company producing the tech. We need to evolve address data sharing related to incidents.
- Countries have to serve national interest, in a country-first manners and we have to tackle social issues as technologies reach scale.
- There is a situation of continuous requests for data and gag orders from Indian agencies, which leads to trust deficit.
- Vulnerability reporting: we have a mechanism of reporting vulneraiblities, which should be encouraged. In case of UIDAI, adverse legal actions are being taken against those reporting vulnerabilities. If we aren’t encouraging reporting, we are losing out on averting real threat.
The route of the conflict or perceived conflict is a sovereign one. There is a conflict of laws between US and Indian laws. This doesn’t allow US companies to hand over data to any LEA unless certain standards are met. Companies did not make these laws so they can’t solve the conflict. The problem is a sovereign one. The only long term data sharing solution is for the US and India to arrive at a bilateral framework. If it is created everyone will comply, because [companies] won’t want to question the law.
- How do we work, when it comes to Law Enforcement Agencies working with the private sector to address challenges. There should be a larger advisory committee, which the industry can suggest, to address the tech challenges problem, within the mandate of the law. My experience with the govt, they also have been very sensitive that the law should be followed then. The enforcement agencies also want to follow the law. We need a framework. There’s no relationship and no understanding between agencies and industry, because of lack of awareness and education. That needs to be under a uniform framework extended to the state police.
- On Law Enforcement Agency access to data: sometimes there is doubt whether any MNC will agree to give access to data. There will be compliance with all applicable Indian law.
- Are there balanced models for addressing legitimate concerns? Are we solving for those concerns by putting in data localisation mandates? Are we solving for LEA, or for data based wealth creation? Unless we understand the objectives of the govt, we cannot help address those problems.
- If there is a breach in a bank, we get calls from people for data. We don’t own that information. This misplaced request for access to data, and this happens across the board. The problem is the same when the data is needed for research.
- The problem in the last 3-4 years is that there is a blurring of political, government, bureaucracy and technocrats. We could argue with technocrats but not the rest. We need to bring the technocrats back. A lot of the technical discussions need to happen with technocrats.
- MLATs has really not worked.
- Letter of rogatory is far too complex too
- MLATs issue: When it comes to getting digital evidence from overseas stored data, there is a division in the MHA which handles these requests. It is either denied on grounds of privacy or not in accordance with the format required by the Department of Justice in the US. The process is lengthy, cumbersome and it is not addressing the issues in the timely manner. We need timely access to evidence, because without that it is not possible to prosecute cyber criminals.
- There is a similar challenge on the US side. There needs to be a reciprocal arrangement, and trust has to be built up.
- In the Indian LEA, Indian authorities have cooperated, and action has been taken. It’s not that India is not reciprocating. The process has to be expedited, streamlined and simplified
- Two years ago, Indian industry met (US) Department of Justice to ascertain what the issues were, and there was a resource crunch in the US side.
- Indian State police agencies do not subscribe to the MLATs process and are used to getting information when demanded.
- There are no checks and balances on data requests and use by government. There is no transparency, no restrictions on how data can be stored. No grievance redressal.
- LEA requirements is an important driver of localisation, but its not the only one. Even if data were to reside in India, it still doesn’t give LEA access, because law will still be applicable.
- India should offer the same data access to the US. We might be hoarding a lot of the worlds data and we have to prepare for that eventuality.
- On 5G, unless we have the capabilities within India to look at what kind of threats are being posed at a hardware level, with audits, not just telecom but for any equipment.
Need for harmonisation of laws between India and the US
- We need to look more closely at harmonising our (Indian and US) laws
- If the Indian system and the US system begin this conversation, we might be able to deflect a very core problem of asymmetry of power between the two countries, that leads to an inherent suspicion, which is deep set in the public sector. It is deep in government, and this drives all the suspicion.
- It also means that for US companies, they could consider something like technology offsets, that helps you bridge the perception gap with the Indian government, which says that we are stakeholders. Look at it as a confidence building measure.
- LEA questions swirl around justification for regulatory action. We need access to information and this has driven localisation concerns, and the restrictions on cross border flow of data. There are legitimate concerns here, and when you have this interconnected world, we haven’t quite figured out how to address the needs of law enforcement.
- There are also legitimate needs and public safety needs.
- Until you break all of policy developments out and look at them separately, it’s hard to come out with a global solution.
- We can’t dump all of these issues into the same basket, saying that we need a carrot or stick. We have to think of reasons for these initiatives.
Data Protection Bill and data governance
- The industry, government and media is obsessed with localisation, and there are no reasonable conversations. Indian Banks boards have asked for help with compliance with EU GDPR and localisation. When we didn’t have the pressure of regulation or legislation, the focus was on doing the right thing. We need to have nuanced conversations on access to data: it’s not equivalent to localisation.
- We have to put trust as the number one value. Privacy should be important to the government, to businesses and customers. We are forgetting that we need to protect the individual. That’s a conversation we need to have to address concerns that government is raising
- There’s a third element beyond technology, security and privacy, which is fraud. There is a misplaced notion of access to data. It could be LEA, investigation agency, CERT, DPA, access to data for research, startups, and sharing of this data. We as a country, we are not able to get a 360 degree picture of access to data, and how do we govern access to data.
- Internally, govt has been pushing for modifying data protection law. There is still time before the law gets to parliament. It will take over a year for the bill to become a law.
- There are stages there where we can modify the law, or modify the provisions of the bill. There will be a small consultation before Parliament, then with the standing committee and there will be two years for the law to be implemented in full.
- The provisions of the privacy law shouldn’t be applicable to risk compliance.
- We need a data governance policy and have an e-MLAT process. We need to have policy measures around access to data and how do we govern that access.
We need to reinforce with the government: simply access to data does not help innovation. Only data will do nothing. All public sector data was in India, all hospital data was in India, we’ve been able to do nothing.
- The other pillars of localisation are also important: another larger driver is the non contribution of foreign companies to [tax in] the Indian ecosystem. I don’t think this can be quantified. India’s way of creating digital infrastructure is an opportunity. It is open to contribution. The sense is that economic value is being taken away [by foreign companies].
- End users are becoming are more conscious of privacy and regulatory scrutiny will follow.
- The kind of intrusiveness that Google has on Android is scary.
- Data governance and data safety: it’s not the data but the person who needs to be protected.
- Indian industry, IT or user enterprises, are not investing enough in policy debates, and not having rational conversations. There is an overdrive on policy from 5-6 companies, for some of them concerns are identical.
- Indian companies have to also acknowledge that they have skin in the game
- My comment: Indian companies that are getting involved in policy debates include, above all, Reliance Jio and Paytm.
- Big Indian players are never sure whether they want to take a position or not. It’s personality led. They don’t want to get involved. They have too much at stake with the Indian govt.
- Social Media: a whole different set of concerns, on incitement, misinformation. When companies are given the responsibility to decide what is true and not, you get into a metaphysical debate. We haven’t got this balance right.