- Cross-border data flows were first deliberated at international fora, before trickling down into domestic policy.
- Countries’ conflicting value systems inhibit the development of a global treaty on data or Internet governance.
- India consistently looks to preserve domestic policy space as it negotiates internationally on technology policy.
- Market imperatives can help build global consensus between countries on cross-border data flows.
- India’s upcoming G20 Presidency can bring differing points of view together and shape the future of digital governance.
“Rather than looking at how international deliberations [on tech policy] impact domestic policies, it’s more important to examine how India uses its geopolitical and diplomatic space to carve out domestic policy space for itself at these negotiations,” said Arindrajit Basu during the “Geopolitics, Data Segmentation and Cross Border Data Flows” panel at PrivacyNama, MediaNama’s premier virtual conference on data governance and privacy held on October 6, 7 and 11, 2022.
Basu, a non-resident fellow at the Centre for Internet and Society (CIS), was joined by Sidharth Deb (Programme Officer) and Sukanya Thapliyal (Project Officer) at the Technology and National Security vertical at the Centre for Communication Governance at the National Law University, Delhi (CCG-NLUD). The discussion was moderated by MediaNama‘s Aarathi Ganesan.
MediaNama is hosting these discussions with support from Mozilla, Meta, Walmart, Amazon, the Centre for Communication Governance at NLU Delhi, Access Now, the Centre for Internet and Society, and the Advertising Standards Council of India.
FREE READ of the day by MediaNama: Click here to sign-up for our free-read of the day newsletter delivered daily before 9 AM in your inbox.
How do international multilateral fora shape data flow arrangements between countries? Where do these discussions take place?
Discussions on cross-border data flows are international by nature: “These ideas have seeped down into domestic policy from international fora, where these discussions take place. They don’t place it at a particular negotiating table—it [where an issue is debated] depends on the sector and the interests,” said Thapliyal, drawing from her research on international trade law, emerging technologies, and national security.
“Discussions about economics [of technology or of data flows] take place within the World Trade Organization (WTO), and also through different Regional Trade Agreements (RTA), Free Trade Agreements (FTA), and regional trading blocs,” added Thapliyal. Negotiations on international cybercrime and related data take place at the United Nations Ad Hoc on cybercrime governance. “Here, countries discuss how they can better access data, how to understand sensitive data, how access should be ensured, and what limitations should be there on the legal enforcement agencies while sharing such kinds of data.”
Why is there a lack of global consensus on Internet governance and cross-border data flows?
Consensus-building is hindered by contested value systems: “The internet is a by-product of a unipolar international order. Post the falling of the Berlin Wall and during the initial global expansion of the Internet and cyberspace, there was a push towards developing multi-stakeholder internet and cyberspace governance,” noted Deb, who researches domestic and international discourse at the intersection of technology law and policy, geopolitics, cybersecurity, human rights, and the rule of law.
“There has been a lot of movement from states themselves about the values or principles through which data can be governed. Because we don’t have a synchronised international understanding of what this value system should be, there has been a lot of contestability in the space.” — Sidharth Deb (CCG-NLUD)
Different countries’ approaches to data flows: “Europe’s approach to restricting cross-border data flows stems from the perspective of protecting its citizens’ rights, which includes the right to privacy,” explained Deb. “Conversely, the value system emerging from the US talks about cross-border data flows from the perspective of the free flow of information, which is guided by two pillars. The first is the absolute nature in which the US looks at freedom of speech and expression. The other is that this caters to their own economic interests, given that many large digital platforms, services, and network providers emerge from the US.”
These approaches receive pushback from the Sino-Russian bloc. Deb noted that for Russia, “cross-border data flows are viewed through the lens of information security and information sovereignty to give the government power to decide which data should reside within borders and on what conditions, and if need be, to decide when the government can access data. China’s stance is a mix between this information security doctrine and its own economic interests of exporting IT services emerging from the Chinese digital market.”
Where does India stand in this contested space? Does it align with a specific regional approach to cross-border data flows, or carve out its own space?
India’s approach is informed by multiple lenses: “The best way to characterise India is that it looks at which forum it is negotiating at and borrows something from each particular larger model,” said Basu, who studies the constitutionality and geopolitics of emerging technologies.
India keen to preserve domestic policy space: India is not a member of key RTAs pertaining to technology—such as the Regional Comprehensive Economic Partnership (RCEP) and the Comprehensive and Progressive Trans-Pacific Partnership. Neither has it signed the Joint Statement Initiative (JSI) for the e-commerce treaty being negotiated at the WTO. “Publicly, India has not signed the JSI because [it claims that] it is an ‘illegal initiative’. Any WTO initiative has to take all members on board,” explained Basu. “The other reason, is that India wants to preserve domestic policy space to create policies for its digital economy.”
“So, rather than thinking of how domestic policy is being impacted by these international negotiations (..) India is looking to preserve domestic policy space and consequently opting out of [many of] these negotiations for now.” — Arindrajit Basu (CIS)
“[For India,] Data can be looked at as a factor of production for economic activities,” noted Deb. “Data can [also] be viewed through the lens of (..) evidence when cybercrime events take place. Another lens is national security (..) [such as] through which networks Indian data is flowing and if are there risks when it circulates in jurisdictions that the Indian government views as unfavourable or hostile.”
This question of national security interests has appeared at the United Nations Ad Hoc Committee, as observed by Thapliyal.
“India’s interest in jurisdiction issues and [cross-border data flows] is rooted in its inability to access data located elsewhere, as well as the inefficiencies with existing Mutual Legal Assistance Treaties.” — Sukanya Thapliyal (CCG-NLUD)
“That is why India has, in its recent submission at the UN, explored the idea of data-based jurisdiction, which is relatively new in this debate,” adds Thapliyal. “This would allow a country to get hold of data located elsewhere, although it is unlikely that this proposal will be received well by other participating countries.”
Does any country have a clear vision of what it wants the future of Internet governance to look like? Does India?
Bloc-based ‘alignment’ to data flows may be redundant: “To think of Internet governance as divided between three models—between the US, the EU, and China and Russia—is a little bit simplistic,” suggested Basu. Basu illustrated that South Korea, which otherwise supports the free flow of data proposed at multilateral and regional groupings, also has restrictive data localisation policies in place to curb potential threats from North Korean intelligence agencies.
Deb gently rebutted, highlighting that while there is heterogeneity in how individual states approach these issues, regional perspectives can steer and shape approaches to common value systems to tech governance.
Lack of cohesive Indian vision on Internet governance?: “My research suggests that a lot of the Indian engagement, at least when it comes to cyberspace discussions at forums like the United Nations, is ad hoc in nature. There hasn’t been a lot of sustained strategy in so far as what is India’s outlook to an overarching international cyber governance framework,” noted Deb.
Thapliyal slightly differed, noting that at the UN cybercrime negotiations, “India is very clear that it wants more access to data and better mechanisms for sharing cross-border data with law enforcement agencies. [When it comes to economic and trade negotiations] India is clear that it wants to hold the floodgates until its domestic [digital] industry is ripe enough to be opened to the competitive market.”
However, this coherence may be limited, as Thapliyal observed.
“These negotiations are happening in silos. One ministry is negotiating with a particular mindset and another one has a different objective. (..) There has to be coordination within the government on how they want to go about it.” — Sukanya Thapliyal (CCG-NLUD)
Given these contested negotiations, is there any scope for future global consensus on cross-border data flows?
Market costs can facilitate consensus for digital governance and data flows: “The most influential actor in this multi-stakeholder model [of global Internet governance] is not civil society but the private sector,” argued Basu. “Once companies [feel that they] are not able to do business in certain jurisdictions anymore and exit, that’s when the states actually start opting for convergence and compromise. It’s all about how states are incentivised to negotiate. I firmly believe that this narrative of freedom versus state sovereignty [when it comes to data flows and Internet governance] is a reflection of how the market and voting population is telling you to negotiate.”
“There are now around 154 data localization policies [worldwide] that broadly restrict the free flow of data in some way or the other. These are unlikely to go away unless the market that influences policymaking says that this is not a sustainable way for the Internet to continue to function. When it comes to trade, there is likely to be some convergence dictated by what the market imperatives are. Even with India, reports suggested that because start-ups were not satisfied with data localization provisions, there may be changes to those recommended in the draft Data Protection Bill.” — Arindrajit Basu (CIS)
Consensus building is possible: Deb outlined four pillars to focus on to achieve this, namely:
- Jurisdiction: “Jurisdiction, which is a subset of sovereignty, is being disrupted [by the Internet and cyberspace]. [With regard to cross-border data flows, for example] Users can be situated in two different countries, whereas the evidence of a certain incident taking place can reside in a third country. In a situation like this, where there are three to four jurisdictions whose laws might be applicable, how does a company decide which particular law, local law or policy that they must comply with? This is a useful context within which to think of India’s proposal for data-based jurisdiction.”
- Reciprocity: “Instead of thinking of restrictions on cross-border data flows unilaterally, states also need to think about reciprocity. [For example] The latest draft of the Data Protection Bill, as much as it was rolled back because US state representatives and tech companies were unhappy with the excessive compliances that were emerging, was also critiqued by the Indian start-up community about the potential costs that any sort of reciprocal policy with another country could create if there are restrictions on data flows into India. At the end of the day, our IT sector and its continual growth are premised on the idea of data flowing seamlessly into the Indian jurisdiction.”
- Capacity building: “Developing countries must get some sort of institutional support and resources. When countries like India and South Africa make representations that they are not prepared to negotiate at this stage for an international treaty or digital trade, partially it is because they understand that there is a certain capacity deficit which subsists within our local institutions and laws. Until that capacity deficit is plugged, meaningfully forming normative frameworks at the international level becomes really difficult. In fact, it is in the [developing] state’s strategic interest to delay that conversation till a later juncture. We need to keep in mind that capacity building has to be an essential element of any pathway towards international consensus when it comes to data governance.”
- Democracy and human rights: [When talking about common standards for cross-border data flows] Concepts of trust, stability, and security [are key and] and India should [especially] be talking about [the role of] human rights and democracy in the rule of law. This is one aspect India can talk about in interstate dialogue when it comes to how it can counter China in cyberspace [and build consensus]. If you are talking about democracy in the rule of law and human rights, your local laws and policies must reflect that.”
Global consensus is rare: However, both Thapliyal and Basu note a growing consensus among countries that they may not always see eye-to-eye—and that expecting them to do so may be optimistic. “At the UN Cybercrime convention, countries agree to disagree, they know that they may not arrive at a consensus,” notes Thapliyal.
“This is [also] not the first time we’ve had different players, with different motivations coming to a common platform and bargaining among themselves,” added Thapliyal, referring to deliberations on the TRIPS agreement at the WTO, which deals with intellectual property rights and health. “The mechanism adopted at the time gave more policy space to countries (..) to preserve their own understanding of how they want their digital markets to come into existence. This may be one way [of building global consensus].”
“The role of international law is to facilitate [countries through] conflict and allows them to do business with each other on the Internet,” argued Basu. “For example, there is no one definition of sovereignty that everyone agrees to but it still is a tool that is regularly used by policymakers to shape discussions. [The question before us then is] How will the internet as we know it today evolve in response to this kind of managed conflict on how it has to be governed?”
What shifts in global tech policy can we expect from India’s Presidency of the G20 summit?
FTAs may shape India’s G20 run: “India is signing multiple FTAs which might change our approaches to data flows,” noted Thapliyal. “These agreements have been signed with very strong trade partners like the United Kingdom, the European Union, Australia, and the UAE. These developments will have some sort of impact on how we are going to move ahead with the G20 presidency, and what kind of demands [within tech policy] we are going to lay out for the other countries.”
G20 Presidency an “opportunity to bring actors together”: “As the G20 President, India is uniquely positioned to actually take the next step [globally] on data governance and cross-border flows simply because it has not opted into one narrative of how the Internet should be governed,” said Basu.
“This is also an opportunity for India to use evidence from domestic policy to shape the narrative on Internet governance. Not because India needs to create a fourth bloc—but because it is important for experiences from the world’s largest democracy to shape narratives on global policy issues.” — Arindrajit Basu (CIS)
Agreeing with Basu, Deb added that the forum is an opportunity to think of minimum standards to enable cross-border data flows, aside from law and policy instruments.
“For instance, the Asia-Pacific Economic Cooperation (APEC) forum worked together to develop a common privacy standard. This certification has been adopted and scaled on a voluntary basis across economic actors in that particular bloc. Over time the APEC certification conveys the signal of trust that there is a minimal level of privacy or protection that is accorded whenever data flows across those particular countries. It might be useful for India as it looks at its G20 Presidency to try and pilot similar exercises and see if there is some receptiveness to these certification frameworks. If they can be scaled, there is a possibility for greater policy consensus amongst important digital markets.” — Sidharth Deb (CCG-NLUD)
This post is released under a CC-BY-SA 4.0 license. Please feel free to republish on your site, with attribution and a link. Adaptation and rewriting, though allowed, should be true to the original.
- PrivacyNama Session: Geopolitics, Data Segmentation And Cross Border Data Flows; October 6
- Data Protection Bill 2021: Summary Of Data Localisation Norms And Restrictions On Cross Border Data Transfers
- India Pushes For Customs Duties On ‘Electronic Transmission’ At The World Trade Organization
- ‘Grossly Offensive Speech’: IT Act’s Struck Down Section 66A Reappears In India’s Cybercrime Proposal At U.N.