India's Data Protection Bill in Geopolitical Context

Blog Post
July 10, 2019

In July 2018, India’s Ministry of Electronics & Information Technology released an initial version of its Draft Personal Data Protection Bill. The objective was to develop legislation to “ensure growth of the digital economy while keeping personal data of citizens secure and protected.” Now, the bill is headed to Indian parliament.

As the world’s largest democracy, and with a burgeoning technology sector, India’s emergent position on data privacy and data governance stands to have worldwide impacts on commerce, innovation, and geopolitical competition writ large.

So what does this legislation do? Broadly, it brings together rules and requirements around data sovereignty (a state’s right to control the data in its own borders, as part of its overall sovereignty) and data localization (requiring data on certain persons to be stored within certain borders). One section of the draft document lays out data localization requirements for those storing and processing data on Indian citizens, regardless of whether they are based or operating within Indian territory. In some ways, this is similar to data localization requirements in GDPR, the EU’s General Data Protection Regulation. Other sections cover issues ranging from how to think about defining consent to classifying information like caste as “sensitive data.” In sum, the document sets out in broad strokes some of the components of an Indian data privacy framework.

The reception to the bill has been mixed. On the one hand, Indian data protections can be seen as pushback against “data colonization” by Western tech firms, a new form of “profit and plunder” where citizens’ data is harvested by foreign companies without leaving those citizens, or even their country writ large, any share of the profits. This data colonialism can result in serious power imbalances between foreign companies and the Indian government, sometimes to the detriment of domestic innovation when a few select firms control the bulk of access to online services and data collection. As one stakeholder put it, “India has grown rich in data before in its economy. There is a need to make sure that this data is mined for Indian and not foreign interest.” In this way, one of the bill’s objectives, Arun Mohan Sukumar from India's Observer Research Foundation points out, is to give “data fiduciaries” the power to “return” data collected by foreign firms to Indian citizens, and give domestic firms a leg up on other players in the global market.

On the other hand, American tech companies have raised concerns over the data localization element—saying requirements to store data locally could hurt local and foreign firms and “negatively impact the flow of foreign investments.” Other analysts have also criticized this element of the bill, and expressed fears over weak safeguards against state access to locally stored data. Shashi Tharoor, a member of India’s parliament and former U.N. under-secretary-general, has written about the need for a “robust data protection law,” while simultaneously critiquing Prime Minister Modi’s “pattern of seeking more and more digital control over and surveillance of its people.” For it’s not just foreign companies storing Indian citizens’ data that could be impacted, but Indian companies too—with many drawing attention to the bill’s failure to clearly delineate who owns data, the user or the platform. This marks one way in which the bill departs from the EU’s GDPR, which clearly puts the ownership of data in the hands of the data subject. The Indian draft law has yet to decisively provide an answer to this question.

As such, it’s still unclear how the draft law will be implemented. Like with any democracy, and especially given India’s size and current political environment, there are many stakeholders with skin in the game here, such as foreign technology firms, domestic companies, state governments, internet freedom organizations, and Indian citizens. Yet the geopolitical impacts of India’s emerging stand on data governance cannot be overstated.

Data governance, as Samm Sacks and I recently wrote, is an increasingly important element of contemporary geopolitical competition. The 1s and 0s that flow across the internet underpin everything from banking transactions to social media personalization. Data generated by machines and humans alike can be used to train AI systems that are poised to greatly impact state power by revolutionizing everything from military command-and-control to urban transportation. Data governance regimes (laws, regulations, standards, etc.) that control access to potential AI training data in other countries—and that contribute to broader moderation of foreign companies’ market access writ large—are poised to have widespread impacts on global commerce and tech competition, with implications for national security. Now, India finds itself at the heart of this global emergence of data governance in geopolitical competition.

India is the world’s largest democracy and, although the pace of economic growth has recently slowed, the country nonetheless has a rapidly growing economy. As such, the country holds an important position: a key global influencer on technology norm-setting, a growing player in the global technology sector, and a large potential market for foreign technology firms.

On the democratic norm side, India is an important stakeholder in global conversations about how democracies should balance tech regulation questions around privacy, national security, innovation, and other issues. To quote Arindrajit Basu from India’s nonprofit Centre for Internet & Society, India “has clearly established an appetite to regulate Big Tech” through a “slew of policies” not just constrained to this bill. India’s National Strategy for Artificial Intelligence and Draft National e-Commerce Policy are other pieces of the puzzle currently in the works. The country also has the potential, Basu adds, to “cement itself as an incubator of responsible, thoughtful, and efficient tech policy for the world—in a manner that safeguards its core strategic interests.” Indeed, India’s domestic example-setting and international norm engagement will help chart the future for emerging economies.

On the economic side of things, India has a burgeoning technology sector, with Bangalore regularly dubbed the Silicon Valley of India. A number of government initiatives to fund and encourage startups have been instituted with the aim of leveling the playing field to compete with foreign firms. The Department for Promotion of Industry and Internal Trade—in yet another example of the country’s focus on growing its domestic technology ecosystem—plans to set up a dedicated fund for Indian startups operating in certain priority sectors. All of these changes are not without challenges and unequal distribution (i.e., digital divides), but the role Indian technology companies and its technology ecosystem writ large play in global tech competition is hardly constrained to outsourcing, as some in the West might stereotype. There are also over half a billion internet users within India’s borders, second only to China; it’s a potentially enormous market in which many foreign technology firms desire to gain and hold ground.

“We don’t want to build walls,” secretary of telecommunications Aruna Sundararajan told The New York Times, “but at the same time, we explicitly recognize that data is a strategic asset.” She has called this part of a broader plan to catalyze the “rise of Indian tech companies.” India’s information technology and telecom minister has similarly said that Indian data sovereignty is “non-negotiable”—that while “some degree of data movement is important in a digital world… [it] will be based upon reciprocity and understanding.” All to underscore the fact that India recognizes the geopolitical importance of its data policies, and that it won’t just hinge its decision-making around these issues on the desires of Western tech companies.

India is not alone in confronting these challenges. As many countries—including the likes of the United States, European Union, Japan, and China—attempt to balance privacy, innovation, and national security in various ways with respect to data—and, insofar as data plays a role in AI development, with respect to AI regulation as well—India is both aiming to put a flag in the ground and find its own way.